fraud! - Lancaster EPrints - Lancaster University [PDF]

@ex2010.lancs.ac.uk&(the&Lancaster&based&email&server,&also&used&for&the&partici

0 downloads 6 Views 8MB Size

Recommend Stories


Lancaster Area
You miss 100% of the shots you don’t take. Wayne Gretzky

AmE06 in AntConc format - Lancaster University [PDF]
... 171 520 school 172 519 white 173 516 something 174 515 found 175 513 though 176 512 again 177 512 thought 178 509 during 179 493 part 180 492 came ... almost 294 322 example 295 321 days 296 320 others 297 319 nothing 298 318 education 299 318 wa

Lancaster University Community Day 2017
We can't help everyone, but everyone can help someone. Ronald Reagan

lancaster county
What you seek is seeking you. Rumi

Lancaster County
Never let your sense of morals prevent you from doing what is right. Isaac Asimov

Lancaster SOP
Goodbyes are only for those who love with their eyes. Because for those who love with heart and soul

Lancaster Approach
Learning never exhausts the mind. Leonardo da Vinci

Lancaster Colony Corp LANC
Those who bring sunshine to the lives of others cannot keep it from themselves. J. M. Barrie

Tires Plus - Lancaster
Love only grows by sharing. You can only have more for yourself by giving it away to others. Brian

Lancaster Plain Region
So many books, so little time. Frank Zappa

Idea Transcript


! ! !

What!makes!people!click:!Assessing!individual! differences!in!susceptibility!to!email!fraud! ! ! !

Helen%S.%Jones% BA%(Hons),%MSc% ! ! ! ! ! A%thesis%submitted%for%the%degree%of%% Doctor%of%Philosophy% % % Department%of%Psychology% Lancaster%University% August%2016% ! !

!

Declaration! ! ! I%declare%that%this%thesis%is%my%own%work,%and%has%not%been%submitted%in%substantially% the%same%form%for%the%award%of%a%higher%degree%at%this%institution%or%elsewhere.% % Name:%%%%%%%%%%%%%%%%%%%%%%%%Helen%S.%Jones% Signature:%%%%__________________% Date:%%%%%%%%%%%%__________________% ! ! !

!

ii!

Publications! ! ! The%text%from%Chapter%1%of%this%thesis%overlaps%with%text%from%Jones,%H.%S,%Towse,%J.,% and%Race,%N.%(2015).%Susceptibility%to%email%fraud:%A%review%of%psychological% perspectives,%dataScollection%methods,%and%ethical%considerations.%International* Journal*of*Cyber*Behaviour,*Psychology*and*Learning,*5%(3),%13S29.% % An%edited%version%of%Chapter%3%is%currently%under%revision,%following%comments%from% reviewers,%for%publication%in%Applied*Cognitive*Psychology:%Jones,%H.%S.,%Towse,%J.,% Race,%N.,%and%Harrison,%T.%(under%review).%Email%fraud%–%the%search%for%psychological% markers%of%susceptibility.%%% % % % % % % % % % % % % %

!

iii!

Abstract! %

Cyber%security%experts%have%acknowledged%that%human%users%are%consistently%

the%most%vulnerable%part%of%a%computer%network,%however%little%psychological% research%has%considered%why.%This%thesis%focuses%on%susceptibility%to%email%fraud,%and% highlights%three%core%approaches%to%understanding%why%some%users%are%more%likely%to% respond%than%others,%using%a%mixed%methods%approach%across%seven%experiments.% %

The%first%approach%considers%the%persuasive%techniques%employed%by%the%

sender%to%make%an%email%more%believable.%Qualitative%data%from%Studies%1%and%5% demonstrate%that%authority,%familiarity,%and%the%relevance%of%a%communication%are% important%factors%when%users%are%considering%the%legitimacy%of%an%email.% %

The%second%approach%focuses%on%the%situational%factors%that%may%make%users%

more%susceptible%under%specific%circumstances.%Findings%demonstrate%that%time% pressure%(Study%3)%and%a%secondary%verbal%task%(Study%6)%can%impair%accuracy%in% judging%email%legitimacy.% %

Finally,%individual%differences%in%cognitive%makeSup%between%users%are%

considered,%with%two%distinct%tasks%used%to%measure%susceptibility.%Using%a%forcedS choice%email%legitimacy%task%(Study%3)%and%an%office%simulation,%in%which%participants% were%naïve%to%the%purpose%of%the%research%(Study%7),%cognitive%reflection,%inhibition,% and%sensation%seeking%were%found%to%be%influential%in%the%decisionSmaking%process.%% %

%The%findings%from%this%thesis%outline%key%influencing%factors,%which%explain%

some%of%the%variance%in%individual%differences%in%susceptibility%to%email%fraud.%These% provide%valuable%points%for%consideration%in%future%efforts%to%educate%users%on%issues% surrounding%email%fraud.%Further%to%this,%the%development%of%two%labSbased% measures%of%susceptibility,%with%findings%replicated%between%the%two,%provides%a% !

iv!

platform%for%further%research%in%understanding%and%reducing%susceptibility.%Variations% upon%the%email%legitimacy%task%demonstrate%how%this%can%be%used%to%assess%effects%of% a%number%of%manipulations,%such%as%different%proportions%of%phishing%and%legitimate% stimuli%(Study%4)%and%dualStask%paradigms%(Study%6).%The%incorporation%of%additional% qualitative%data%analysis%in%the%thesis,%from%the%use%of%focus%group%discussions%(Study% 1)%and%thinkSaloud%protocols%(Study%5),%also%provides%convergent%evidence%for%the% quantitative%research%findings%reported.%% ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

v! !

Acknowledgements! ! %

First%of%all,%I’d%like%to%express%my%gratitude%to%John%Towse%for%his%excellent%

guidance%and%expertise%that%have%helped%shape%the%thesis%into%what%it%is%now.%It%goes% without%saying%that%this%thesis%wouldn’t%have%happened%without%you,%so%I%thank%you% for%the%opportunity%to%work%with%you,%and%I%hope%that%we%will%be%able%to%continue% working%together%in%the%future.%To%Nick%Race,%for%your%insights%from%computer% science,%especially%in%putting%together%the%publications%we%have%so%far%from%this% thesis.%It’s%been%really%interesting%for%me%to%learn%more%about%the%technical%aspects%of% cyber%security.%To%Tim%Harrison,%for%providing%a%constant%source%of%contact%for%liaison% and%collaborations%with%Dstl,%and%for%your%help%guiding%us%through%the%ethics%process.% %

To%my%Dad,%thank%you%for%always%having%a%spare%bed%at%the%country%retreat%for%

escapes%from%Lancaster.%For%the%long%walks%in%the%Shropshire%hills%–%there%are%few% better%places%to%clear%your%mind%of%scam%emails%than%on%the%top%of%the%Long%Mynd% with%zero%phone%signal!%But%more%importantly,%thank%you%for%supporting%me%during% the%PhD%process%and%for%your%patience%in%how%long%it’s%taken%to%finish.% %

To%all%the%people%I%have%met%along%the%way%–%I%came%to%Lancaster%as%an%

undergraduate%and%I’ve%seen%a%lot%of%people%come%and%go%in%that%time.%Maybe%now% it’s%finally%my%turn%to%move%on!%I’ve%had%an%amazing%time%here,%but%it%would%have% been%nothing%without%the%people.%Beth,%thank%you%for%many%a%prosecco%and%fondueS filled%evening%away%from%the%PhD,%for%laughter%and%adventures%on%conference%frolics,% from%Enschede%to%Russia,%next%stop%Sydney.%To%Diana,%for%the%PhD%and%nonSPhD%chats% on%the%snow%slope%and%the%climbing%wall,%we’ll%get%back%on%there%soon%I%promise.%To% Dr.%Watson,%for%your%words%of%wisdom%and%encouragement%when%I’m%suffering%from%

!

vi!

impostor%syndrome.%To%Rob,%for%the%constant%stream%of%Imgur%links%that%make%me% laugh%even%from%the%deepest%depths%of%thesis%writing.%And%to%Jack,%you%came%into%my% life%at%the%most%stressful%point%to%date,%so%thank%you%for%your%patience%and%support% while%I’ve%been%finishing%up%my%PhD%–%let%the%adventures%begin!%% I%don’t%think%I%realised%until%I%started%this%PhD%how%valuable%office%mates%can% be%to%make%the%good%days%better%and%to%keep%you%motivated%through%the%bad%days%–% so%thank%you%to%Sophie,%for%your%no%nonsense%attitude%to%life,%you%are%an%inspiration!% Steven,%for%always%being%there%to%talk%things%through,%not%only%in%the%office%but%also% on%the%dance%floor%in%Hustle…%(amongst%other%places)!%To%James,%for%brightening%the% office%with%your%excellent%tSshirt%collection%and%constant%supply%of%biscuits.%And%to% Becky,%for%listening%to%many%rants,%both%work%related%and%not,%for%all%our%muchS needed%lunch%breaks,%and%of%course%for%the%numerous%little%adventures%outside%the% office.%Without%you%I%would%never%have%met%Gino%D’Acampo,%how%empty%my%life% would%have%been!%There%are%too%many%other%amazing%people%in%the%department%who% I%could%thank,%but%I%think%this%thesis%is%long%enough!%You%know%who%you%are,%and%I%will% just%say%that%I%am%so%grateful%for%the%supportive%and%friendly%social%group%that%exists% here,%this%would%have%been%a%much%more%difficult%process%without%you%all.%% %

Finally,%and%most%importantly,%to%my%Mum.%I%wish%you%were%here%to%see%what%I%

have%achieved;%I%know%you%would%have%liked%to%read%the%thesis%(or%maybe%I%would%just% have%liked%to%make%you%read%it…).%Thank%you%for%the%love%and%encouragement%that% got%me%where%I%am%today,%I%know%you%would%be%proud,%and%that’s%all%I%needed%to%get% me%to%this%point.% ! ! ! !

vii!

Table!of!contents! ! List!of!Tables!....................................................................................................................!xiii! List!of!Figures!..................................................................................................................!xvi! Chapter!1!...............................................................................................................................!1! 1.1!Introduction!..............................................................................................................!2! 1.1.1%Demographic%influences%on%susceptibility%...................................................%5! 1.1.2%The%current%thesis%........................................................................................%6! 1.2!Theoretical!perspectives!......................................................................................!8! 1.2.1%Persuasive%techniques%employed%by%the%sender%.........................................%8! 1.2.2%Situational%factors%affecting%cognitive%processing%.....................................%10! 1.2.3%Cognitive%makeSup%of%the%user%...................................................................%14! 1.3!Measuring!susceptibility!...................................................................................!17! 1.3.1%Scale%measures%..........................................................................................%18! 1.3.2%Email%legitimacy%tasks%................................................................................%19! 1.3.3%Working%with%past%victims%.........................................................................%23! 1.3.4%Simulated%phishing%attacks%........................................................................%27! 1.4!Overview!of!the!thesis!........................................................................................!30! Chapter!2!............................................................................................................................!33! 2.1!Introduction!...........................................................................................................!34! 2.2!Study!one!................................................................................................................!37! 2.2.1%Method%......................................................................................................%37! 2.2.1.1%Participants.%....................................................................................................%37! 2.2.1.3%Materials.%........................................................................................................%37! 2.2.1.4%Procedure.%.......................................................................................................%39! 2.2.1.5%Data%collation.%.................................................................................................%40!

2.2.2%Results%.......................................................................................................%40! 2.2.2.1%Questionnaire%data.%........................................................................................%40! 2.2.2.2%Focus%group%data.%............................................................................................%44!

2.2.3%Discussion%..................................................................................................%51! 2.3!Study!two!................................................................................................................!55! 2.3.1%Method%......................................................................................................%55! 2.3.1.1%Participants.%....................................................................................................%55! 2.3.1.3%Materials.%........................................................................................................%56! 2.3.1.4%Procedure.%.......................................................................................................%56! 2.3.1.5%Data%collation.%.................................................................................................%57!

!

viii!

2.3.2%Results%.......................................................................................................%57! 2.3.2.1%Descriptive%statistics.%......................................................................................%57! 2.3.2.2%Demographic%data.%..........................................................................................%58! 2.3.2.3%Context%information.%.......................................................................................%58! 2.3.2.4%Reasons%for%response%decision.%.......................................................................%58!

2.3.3%Discussion%..................................................................................................%59! 2.4!Study!2a!...................................................................................................................!61! 2.4.1%Method%......................................................................................................%61! 2.4.1.1%Participants.%....................................................................................................%61! 2.4.1.3%Materials.%........................................................................................................%62! 2.4.1.4%Procedure.%.......................................................................................................%63! 2.4.1.5%Data%collation.%.................................................................................................%63!

2.4.2%Results%.......................................................................................................%64! 2.4.2.1%Collective%analysis.%..........................................................................................%64! 2.4.2.2%Responses%from%open%day%1.%...........................................................................%65! 2.4.2.3%Responses%from%open%days%2%+%3.%....................................................................%66! 2.4.2.4%Responses%from%open%day%4.%...........................................................................%67!

2.4.3%Discussion%..................................................................................................%67! 2.5!General!discussion!..............................................................................................!70! 2.4.1%Conclusion%.................................................................................................%72! Chapter!3!............................................................................................................................!74! 3!Study!three!................................................................................................................!75! 3.1%Introduction%..................................................................................................%75! 3.2%Method%.........................................................................................................%83! 3.2.1%Participants.%.......................................................................................................%83! 3.2.2%Design.%...............................................................................................................%83! 3.2.3%Materials.%...........................................................................................................%83! 3.2.4%Procedure.%..........................................................................................................%89! 3.2.5%Data%collation.%....................................................................................................%90!

3.3%Results%..........................................................................................................%93! 3.3.1%Email%legitimacy%task.%.........................................................................................%93! 3.3.2%Email%usage%questionnaire.%................................................................................%97! 3.3.3%Cognitive%measures%S%Set%1.%................................................................................%97! 3.3.4%Set%2.%................................................................................................................%101!

3.4%Discussion%...................................................................................................%103! 3.4.1%Conclusion.%.......................................................................................................%109!

Chapter!4!..........................................................................................................................!110! 4!Study!four!.................................................................................................................!111! 4.1%Introduction%................................................................................................%111! !

ix!

4.2%Method%.......................................................................................................%113! 4.2.1%Participants.%.....................................................................................................%113! 4.2.2%Design.%.............................................................................................................%114! 4.2.3%Materials.%.........................................................................................................%114! 4.2.4%Procedure.%........................................................................................................%115! 4.2.5%Data%collation.%..................................................................................................%117!

4.3%Results%........................................................................................................%117! 4.3.1%Email%legitimacy%task.%.......................................................................................%117! 4.3.2%Email%usage%questionnaire.%..............................................................................%119! 4.3.3%Cognitive%measures%–%Set%1.%.............................................................................%120! 4.3.4%Set%2.%................................................................................................................%120!

4.4%Discussion%...................................................................................................%121! 4.4.1%Conclusion.%.......................................................................................................%124!

Chapter!5!..........................................................................................................................!126! 5!Study!4a!....................................................................................................................!127! 5.1%Introduction%................................................................................................%127! 5.2%Method%.......................................................................................................%129! 5.2.1%Participants.%.....................................................................................................%129! 5.2.2%Design.%.............................................................................................................%129! 5.2.3%Materials.%.........................................................................................................%130! 5.2.3%Procedure.%........................................................................................................%132! 5.2.4%Data%collation.%..................................................................................................%133!

5.3%Results%........................................................................................................%133! 5.3.1%Reliability%analysis.%...........................................................................................%133! 5.3.2%Moses%illusion.%.................................................................................................%135!

5.4%Discussion%...................................................................................................%136! 5.4.1%Conclusion.%.......................................................................................................%138!

Chapter!6!..........................................................................................................................!140! 6!Study!five!..................................................................................................................!141! 6.1%Introduction%................................................................................................%141! 6.2%Method%.......................................................................................................%146! 6.2.1%Participants.%.....................................................................................................%146! 6.2.3%Materials.%.........................................................................................................%147! 6.2.4%Procedure.%........................................................................................................%148! 6.2.5%Data%collation.%..................................................................................................%149!

6.3%Results%........................................................................................................%150! 6.3.1%Email%legitimacy%task.%.......................................................................................%150! 6.3.2%Cognitive%tasks.%................................................................................................%152! 6.3.3%ThinkSaloud%analysis.%........................................................................................%152!

6.4%Discussion%...................................................................................................%161! !

x! !

6.4.1%Email%legitimacy%task.%.......................................................................................%162! 6.4.2%Cognitive%measures.%.........................................................................................%163! 6.4.3%ThinkSaloud%responses.%....................................................................................%164! 6.4.4%Conclusion.%.......................................................................................................%168!

Chapter!7!..........................................................................................................................!170! 7!Study!six!....................................................................................................................!171! 7.1%Introduction%................................................................................................%171! 7.2%Method%.......................................................................................................%176! 7.2.1%Participants.%.....................................................................................................%176! 7.2.2%Design.%.............................................................................................................%177! 7.2.3%Materials.%.........................................................................................................%177! 7.2.4%Procedure.%........................................................................................................%178! 7.2.5%Data%collation.%..................................................................................................%180!

7.3%Results%........................................................................................................%180! 7.3.1%Email%legitimacy%task%performance.%.................................................................%180! 7.3.2%Response%times%on%email%task.%.........................................................................%182! 7.3.3%Confidence%in%recognising%phishing%emails.%.....................................................%184! 7.3.4%Cognitive%reflection%test.%..................................................................................%184!

7.4%Discussion%...................................................................................................%185! 7.4.1%Email%task%performance%and%cognitive%load.%....................................................%185! 7.4.2%Response%times%and%email%task%performance.%.................................................%187! 7.4.3%Understanding%of%the%term%‘phishing’.%.............................................................%188! 7.4.4%Cognitive%reflection%and%email%task%performance.%...........................................%189! 7.4.5%Conclusions%and%future%directions.%..................................................................%190!

Chapter!8!..........................................................................................................................!192! 8!Study!seven!..............................................................................................................!193! 8.1%Introduction%................................................................................................%193! 8.2%Method%.......................................................................................................%200! 8.2.1%Participants.%.....................................................................................................%200! 8.2.2%Design.%.............................................................................................................%201! 8.2.3%Materials.%.........................................................................................................%201! 8.2.4%Procedure.%........................................................................................................%204! 8.2.5%Data%collation.%..................................................................................................%207!

8.3%Results%........................................................................................................%208! 8.3.1%Response%likelihood%to%phishing%emails.%..........................................................%208! 8.3.2%Cognitive%measures.%.........................................................................................%213!

8.4%Discussion%...................................................................................................%215! 8.4.1%Situational%manipulations.%...............................................................................%218! 8.4.2%Cognitive%variables.%..........................................................................................%221! 8.4.1%Limitations%and%future%research.%......................................................................%224! 8.4.2%Conclusions.%.....................................................................................................%225!

!

xi!

Chapter!9!..........................................................................................................................!227! 9.1%Background%and%main%aims%of%the%thesis%....................................................%228! 9.2%Understanding%the%issue%of%email%fraud%victimisation%................................%229! 9.3%Measuring%susceptibility%.............................................................................%231! 9.4%Assessing%the%influence%of%cognitive%makeSup%on%susceptibility%.................%236! 9.5%Assessing%situational%influences%on%susceptibility%......................................%241! 9.6%Assessing%persuasive%techniques%employed%in%phishing%emails%.................%244! 9.7%Major%contributions%from%the%thesis%...........................................................%246! 9.7.1%Theoretical%contributions.%................................................................................%246! 9.7.2%Methodological%contributions.%.........................................................................%249! 9.7.3%Additional%contributions.%.................................................................................%251!

9.8%Limitations%of%the%research%.........................................................................%252! 9.9%Future%directions%.........................................................................................%257! 9.9.1%Development%of%methodology.%........................................................................%257! 9.9.2%Theoretical%implications.%..................................................................................%259! 9.9.3%Applications%of%research%findings.%....................................................................%259!

9.10%Conclusions%...............................................................................................%260! References!.......................................................................................................................!262! Appendices!......................................................................................................................!275! %

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

xii!

List!of!Tables! Table%2.1*Percentage*of*participants*who*reported*experiencing*offline*fraud*in*each* context%................................................................................................................%41! Table%2.2*Number*of*hours*spent*online*each*day*by*participants%.............................%43! Table%2.3*Percentage*of*participants*who*reported*experiencing*online*fraud*in*each* context%................................................................................................................%43! Table%2.4*Means*and*standard*deviations*for*selfCcontrol*scale*and*cognitive* reflection*test*scores*by*response*to*fraudulent*communication%.......................%44! Table%2.5*Framework*of*user*focus*group*themes%......................................................%45! Table%2.6*Percentage*of*participants*who*reported*having*received*fraudulent* communications*through*each*medium*in*online*and*offline*environments%......%59! Table%2.7*Frequency*of*reasons*given*for*not*responding*to*a*fraudulent* communication%...................................................................................................%59! Table%2.8*Descriptive*statistics*for*each*open*day%......................................................%62! Table%2.9*Frequency*of*reasons*given*for*not*responding*to*a*phishing*email%...........%65! Table%2.10*Percentage*of*participants*who*correctly*recognised*each*email%.............%66! Table%2.11*Percentage*of*participants*who*correctly*recognised*each*email%.............%66! Table%2.12*Percentage*of*participants*who*correctly*recognised*each*email%.............%67! Table%3.1*Outline*of*the*tasks*to*be*used*in*this*study%...............................................%86! Table%3.2*Scoring*system*for*confidence*scores*on*email*judgment*task%...................%91! Table%3.3*Descriptive*statistics*for*measure*calculated*from*email*legitimacy*task%..%95! Table%3.4*Correlations*between*measures*from*the*email*legitimacy*task%................%96! Table%3.5*Percentage*responses*to*questions*on*the*email*usage*questionnaire%.......%98! Table%3.6*Descriptive*statistics*for*cognitive*tasks*in*set*1%.........................................%99! Table%3.7*Correlations*between*cognitive*tasks*in*set*1*and*email*legitimacy*task* scores%................................................................................................................%100! !

xiii!

Table%3.8*Summary*of*multiple*regressions*analyses*for*cognitive*variables*in*set*1* predicting*email*task*behaviour%.......................................................................%101! Table%3.9*Descriptive*statistics*for*cognitive*tasks*in*set*2%.......................................%101! Table%3.10*Correlations*between*cognitive*tasks*in*set*2*and*email*legitimacy*task* scores%................................................................................................................%102! Table%3.11*Summary*of*multiple*regression*analyses*for*cognitive*variables*in*group*2* predicting*email*task*behaviour%.......................................................................%102! Table%4.1*Sets*of*cognitive*measures%........................................................................%115! Table%4.2*Outline*of*conditions%.................................................................................%115! Table%4.4*Descriptive*statistics*for*cognitive*measures*in*set*1%................................%120! Table%4.5*Descriptive*statistics*for*cognitive*measures*in*set*2%................................%121! Table%6.1*Correlations*between*performance*measures*on*the*email*legitimacy*task %..........................................................................................................................%151! Table%7.1*Secondary*tasks*whilst*completing*the*email*task%....................................%178! Table%7.2*Means*and*standard*deviations*for*performance*on*the*email*task%........%182! Table%8.1*Summary*of*phishing*email*stimuli%...........................................................%203! Table%8.2*Frequency*for*reasons*given*by*participants*who*deleted*or*did*not*open* each*email%.........................................................................................................%208! Table%8.3*Frequency*for*each*action*on*each*phishing*email%...................................%209! Table%8.4*Correlations*between*response*types*to*phishing*emails%.........................%209! Table%8.5*Descriptive*statistics*for*cognitive*measures%............................................%213! Table%8.6*Correlations*between*cognitive*measures*and*responses*to*phishing*emails %..........................................................................................................................%214! Table%8.7*Summary*of*bestCfit*regression*models*for*cognitive*measures*predicting* response*to*phishing*emails%..............................................................................%214! Table%9.1*Mean*accuracy*and*confidence*score*for*the*email*legitimacy*task*across* studies*3*to*6%.....................................................................................................%233! !

xiv!

Table%9.2*Mean*differences*in*accuracy*on*the*email*legitimacy*task*for*each* experiment%........................................................................................................%233! Table%9.3*Summary*of*bestCfit*regression*models*for*cognitive*measures*predicting* response*accuracy*across*experiments%.............................................................%238! % ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

xv!

List!of!Figures! Figure%2.1*The*Cognitive*Reflection*Test%.....................................................................%38! Figure%2.3*Reasons*given*for*choosing*not*to*respond*to*fraudulent*communications* in*offline*and*online*environments%.....................................................................%42! Figure%3.1%Diagram*to*show*mean*rating*across*participants*for*each*email* stimulus…………………………………………………………………………………………………………..94% Figure%5.1.*Questions*included*in*the*Moses*illusion*task.%........................................%131! Figure%5.2*Number*of*emails*correctly*identified*at*test*session*1*and*test*session*2 %..........................................................................................................................%134! Figure%5.3*Confidence*score*at*test*session*1*and*test*session*2%..............................%135! Figure%6.1*Frequency*of*reference*to*cue*types*in*email*decisionCmaking%...............%153! Figure%7.1*Finger*tapping*sequence*for*complex*condition*of*secondary*task%.........%179! Figure%7.2*Mean*response*times*on*email*legitimacy*task*by*secondary*task*condition %..........................................................................................................................%183! Figure%8.1*Graph*to*show*mean*number*of*emails*and*standard*deviation*for*each* response*type*by*time*pressure*condition%........................................................%211! Figure%8.2*Graph*to*show*mean*number*of*emails*and*standard*deviation*for*each* response*time*by*priming*condition%..................................................................%212! Figure%9.1*Diagram*of*evidenceCbased*theoretical*approaches*to*understanding* individual*differences*in*susceptibility*to*email*fraud%.......................................%247! % ! ! ! ! ! ! !

!

xvi!

! ! ! ! !

Chapter(1! General!introduction!

! ! !

Chapter!summary!

This%chapter%provides%a%rationale%for%the%research%to%be%reported%in%the%thesis,% highlighting% previous% research% from% psychology% and% computer% science.% Three% core% theoretical% approaches% are% considered% in% addressing% the% issue% of% individual% differences% in% email% fraud% susceptibility.% These% are:% the% psychology% of% persuasion,% situational%influences%on%cognitive%processing,%and%the%cognitive%makeSup%of%the%user.% In%addition%to%the%theoretical%constructs%to%be%examined%in%the%thesis,%methodological% approaches%to%assessing%susceptibility%are%discussed%in%terms%of%practical%benefits%in% line%with%ethical%restrictions.%Finally,%this%chapter%provides%an%overview%of%the%studies% that%will%be%reported%in%the%current%thesis.% ! ! ! ! ! ! ! ! ! ! !

1!

1.1!Introduction! The%internet%provides%an%everSexpanding,%valuable%resource%for% entertainment,%communication,%and%commerce.%However,%along%with%this%comes%the% ever%more%sophisticated%threat%of%cyber%attack,%with%over%two%and%a%half%million% incidents%of%computer%misuse%reported%in%2015%(covering%infection%by%viruses%and% account%hacking,%often%a%result%of%response%to%phishing%emails;%Office%for%National% Statistics,%2015).%Such%incidents%have%obvious%implications%on%a%personal%and% commercial%level,%as%well%as%within%the%criminal%justice%system.%However,% psychologically,%they%also%offer%an%intriguing%arena%for%the%understanding%of%the% decisionSmaking%processes%leading%to%online%fraud%victimisation.%In%this%chapter,% previous%research%in%this%area%will%be%discussed%from%both%a%theoretical%and% methodological%perspective,%followed%by%an%overview%of%the%empirical%research%that% follows%in%the%thesis%to%address%key%unanswered%questions.% %

The%thesis%will%provide%a%psychological%analysis%of%decisionSmaking%

surrounding%email%management%and%phishing%emails,%focusing%on%the%role%of% cognitive%variables%on%detection%accuracy.%A%definition%of%phishing%is%not% straightforward%given%the%multitude%of%formats%that%these%communications%can%take.% Nonetheless,%one%broad%and%useful%description%is%offered%by%Myers%(2007):% % *

“Phishing:*A*form*of*social*engineering*in*which*an*attacker,*also*known*as*a*

*

phisher,*attempts*to*fraudulently*retrieve*legitimate*users’*confidential*or*

*

sensitive*credentials*by*mimicking*electronic*communications*from*a*

*

trustworthy*or*public*organisation*in*an*automated*fashion.”*(p.*1)*

!

2!

Most%phishing%emails%are%sent%out%to%thousands%of%internet%users,%with%only%a% small%response%rate%necessary%to%make%it%worthwhile%(economically)%for%the%attacker.% On%average,%successful%phishing%attempts%have%around%a%five%per%cent%response%rate% (Norton,%2014).%This%makes%phishing%a%potentially%more%sustainable%fraud%than% traditional%formats,%such%as%postal%and%telephone%fraud,%which%incur%higher%financial% and%time%costs%for%the%fraudster.% Computer%science%research%is%continually%developing%algorithms%to%detect% phishing%emails%before%they%reach%the%user’s%inbox%in%both%traditional%networkSbased% systems%(e.g.%Fette,%Sadeh,%&%Tomasic,%2007;%Bergholz%et%al.,%2010;%Islam,%&%Abawajy,% 2013),%but%also%more%recently%in%cloudSbased%systems%which%aim%to%detect%and% eradicate%phishing%attacks%in%the%cloud%before%they%even%reach%the%network%(Salah,% Alcaraz%Calero,%Zeadally,%AlSMulla,%&%Alzaabi,%2013).%However,%a%simultaneous% increase%in%sophistication%of%the%emails%themselves%and%the%volume%being%sent%means% that%the%benefits%of%newly%developed%approaches%are%often%shortSlived;%advances%in% the%technology%developed%to%protect%against%phishing%attacks%are%often%quickly% mirrored%in%the%methods%used%by%the%fraudsters%to%circumvent%such%detection% algorithms.%Similarly,%efforts%to%block%the%phishing%websites%that%emails%direct%users% to,%through%automated%heuristic%filters%which%detect%machine%learned%patterns%(e.g.% in%words%used%on%the%webpage%S%AbuSNimeh,%Nappa,%Wang,%&%Nair,%2007;%or%in%URLs%S% Garera,%Provos,%Chew,%&%Rubin,%2007),%or%through%manual%blacklisting,%face%the%same% issues%with%continual%technological%advancement%on%the%part%of%the%fraudsters%in%line% with%that%of%the%researchers.%Moreover,%encouraging%reliance%on%security%software% may%result%in%users%developing%a%false%sense%of%security.%If%they%believe%(erroneously)% that%software%can%reliably%capture%phish,%then%they%may%treat%all%messages%that%reach%

!

3!

their%inbox%undetected,%and%accessible%linked%websites,%as%being%genuine.%The% required%sophistication%in%filtering%software%also%means%that%false%positives%occur%–% with%legitimate%emails%being%filtered%out%of%inboxes%as%spam.%An%overreliance%on% these%filters%means%that%users%are%at%risk%of%missing%important%messages,%as% highlighted%by%participants%during%focus%group%discussions%in%Study%1.%The%inaccuracy% in%these%filtering%efforts%means%that%it%is%left%to%the%user%to%recognise%and%manage% potential%phishing%attempts.%% It%is%acknowledged%by%experts%in%the%field%of%cyber%security%that%human% susceptibility%is%often%the%biggest%problem%though%(Mitnick,%&%Simon,%2002;%Schneier,% 2000a),%with%a%wellSknown%quote%from%Schneier%to%suggest%that%“only*amateurs* attacks*machines;*professionals*target*people”%(Schneier,%2000b).%He%goes%so%far%as% to%suggest%that%even%if%absolute%computer%security%were%achieved%technologically,% the%reliance%on%user%interaction%to%manage%the%software%means%the%system%would% still%be%vulnerable.%In%relation%to%email%management,%biases%in%human%decisionS making%lead%some%users%to%respond%to%phishing%emails%whilst%thousands%of%others%will% receive%the%same%email%and%ignore%it%or%delete%it%straight%away.%This%raises%the% questions%of%why%certain%users%make%these%poor%decisions%but%others%do%not:%is%this% just%the%luck%of%the%draw,%or%is%there%at%least%some%level%of%systematic%group% differentiation?%For%example,%there%is%a%common%assumption%that%advancing%age% leads%to%increased%susceptibility,%when%in%fact%the%research%surrounding%this%is%either% inconclusive%or%suggests%a%more%complex%explanation.%% %

!

4!

1.1.1!Demographic!influences!on!susceptibility!! Some%research%supports%the%assumption%that%the%average%age%of%fraud%victims% is%significantly%higher%than%the%general%population%(Pak%&%Shadel,%2011;%Shadel%&%Pak,% 2007).%However,%other%research%has%demonstrated,%in%contrast,%that%older%internet% users%are%actually%less%susceptible%than%younger%users%(Sheng,%Holbrook,%Kumaraguru,% Cranor,%&%Downs,%2010;%Pratt,%Holtfreter,%&%Reisig,%2010).%The%gender%of%users%has% also%been%highlighted%as%a%potential%factor%influencing%susceptibility,%but%again%the% findings%are%inconsistent,%with%some%research%demonstrating%that%males%show%more% caution%in%assessing%fraudulent%communications%(Jagatic,%Johnson,%Jakobsson,%&% Menczer,%2007;%Bailey,%Mitchell,%&%Jensen,%2008;%Hong,%Kelley,%Tembe,%MurphySHill,% &%Mayhorn,%2013),%whilst%other%research%reports%no%difference%in%susceptibility%based% on%gender%(Parsons,%McCormac,%Pattinson,%Butacicius,%&%Jerram,%2013).% Prior%web%experience%and%usage%habits%have%been%considered%in%some%studies,% with%a%general%assumption%that%users%who%spend%more%time%online%or%who%have% experience%with%cyber%security%would%be%less%susceptible%to%phishing%attacks.%Jagatic% et%al.%(2007)%demonstrated%that%student%participants%who%were%majoring%in%a% technology%related%subject,%such%as%computer%science%or%informatics,%were%less% vulnerable%than%students%from%other%subject%areas%such%as%business%and%liberal%arts.% Friedman,%Hurley,%Howe,%Felten,%and%Nissenbaum%(2002)%supported%this,%with% findings%that%showed%participants%from%a%highStechnology%community%were%better% able%to%recognise%unsecure%connections%than%participants%from%a%typical%suburban%or% rural%community.%However,%Vishwanath,%Herath,%Chen,%Wang,%and%Rao%(2011)%report% surprising%results,%which%demonstrate%that%users%who%receive%more%email%traffic%are% also%more%likely%to%respond%to%a%phishing%email.%It%is%thought%that%persuasive%

!

5!

techniques%in%some%phishing%emails,%such%as%a%sense%of%urgency,%make%them%stand% out%to%users%against%the%normal,%relevant%emails%that%they%are%used%to%receiving,% making%them%more%likely%to%react.%Further%to%this,%selfSreport%data%regarding%email% usage%habits%demonstrated%that%higher%usage%increased%the%likelihood%of% victimisation%in%a%simulated%phishing%attack%(Vishwanath,%2015).% The%inconsistent%nature%of%past%research%addressing%demographic%differences% in%susceptibility%to%email%fraud,%suggests%that%these%alone%cannot%be%relied%upon%to% detect%the%most%atSrisk%users.%The%National%Fraud%Authority%(2011)%produced%a%report% which%outlines%key%demographics%for%different%victim%typologies,%emphasising%that% victims%come%from%a%range%of%age%groups%and%backgrounds,%suggesting%that%there%is% no%specific%demographic%to%focus%attention%on%when%identifying%and%addressing%realS world%incidents%of%susceptibility.%Therefore,%alternative%explanations%for%individual% differences%in%susceptibility%should%be%considered,%which%are%addressed%later%in%the% chapter.% % 1.1.2!The!current!thesis!!! %

Given%the%relatively%novelty%of%the%issue%of%susceptibility%to%email%fraud%in%

research,%the%literature%remains%sparse,%especially%in%relation%to%psychological% approaches.%As%yet,%there%is%no%comprehensive%psychological%model%to%explain% susceptibility%through%human%error.%A%number%of%studies%report%findings%regarding% individual%variables,%but%have%not%considered%how%these%interact%with%one%another,%as% well%as%with%situational%influences.%%%% Throughout%the%thesis,%three%main%approaches%will%be%considered%in%order%to% develop%such%an%explanation%of%individual%differences%to%susceptibility.%These%are%

!

6!

outlined%in%Figure%1.1,%along%with%potential%examples%of%each%based%on%past%research.% Perspectives%from%social%psychology%suggest%that%poor%decisions%result%from% persuasive%techniques%employed%by%the*sender,%i.e.%the%perpetrator.%On%the%other% hand,%cognitive%approaches%naturally%focus%on%the%fallible%mental%architecture%of%the* recipient.%This%can%be%considered%both%in%a%variable%sense,%with%behaviours%that% change%based%on%situational,%and%contextual%factors,%as%well%as%more%concrete% individual%differences%in%the%cognitive%makeSup%of%the%user.%%

Examples% • • •

Sense%of%urgency% Authority% Familiarity%

Situational%factors%

• • •

MultiStasking% Time%constraints% Stress%

Cognitive%makeSup%of% the%user%

• • •

SelfScontrol% Personality% Impulsivity%

Persuasive%techniques% employed%by%the%sender%

!

Susceptibility,to, email&fraud%

% Figure%1.1*Diagram*of*theoretical*perspectives*on*susceptibility*to*email*fraud*7!based% on%Figure%1%in%Jones,%Towse,%and%Race%(2015)* % Although%this%thesis%will%focus%mainly%on%the%psychological%approaches,%some% chapters%will%also%touch%on%approaches%from%computer%science%that%have%considered% humanScomputer%interaction%(HCI)%and%the%influences%that%can%increase%or%decrease% users’%trust%in%online%systems%and%communications.%These%influences%include%the% appearance%of%the%email%or%website,%the%perceived%quality%of%information%provided,%

!

7!

and%the%degree%of%transparency%with%regard%to%how%information%will%be%used%once% shared%(Karat,%Karat,%&%Brodie,%2009).%In%order%to%fully%understand%the%decisionS making%process,%it%is%crucial%to%consider%the%techniques%employed%on*both%sides%of%the% interaction.%There%may%be%emergent%properties%from%the%dynamic%that%exists% between%message%content%and%message%interpreter%that%are%important%in%the% outcome%of%the%email%response%decisionSmaking%process.%% % 1.2!Theoretical!perspectives! ! 1.2.1!Persuasive!techniques!employed!by!the!sender! General%theoretical%work%surrounding%the%psychology%of%persuasion%points%to% the%relevance%of%factors%such%as%authority,%scarcity,%and%social%conformity%(Cialdini,% 1993).%These%persuasive%influences%can%be%present%in%fraudulent%communications%(as% well%as%legitimate%messages)%and%have%been%demonstrated%to%lead%to%more%successful% phishing%attempts.%For%example,%spear%phishing%is%a%technique%that%uses%information% collected%about%the%victim,%usually%from%publicly%available%sources%such%as%social% networks,%to%make%the%communications%more%personal,%and%thus%more%believable.% Work%by%Jagatic,%et%al.%(2005)%used%a%simulated%phishing%attack%to%demonstrate%that% participants%were%more%likely%to%respond%to%an%email%purporting%to%be%from%a%friend% than%an%email%that%came%from%an%unknown%sender.%This%provides%evidence%of%the% influence%of%social%conformity%–%as%a%user%is%more%likely%to%conform%to%an%email%from%a% known%friend%who%they%may%wish%to%maintain%social%acceptance%from%by%responding.%% Further%to%this,%the%level%of%authority%in%an%email%seems%to%be%an%important% factor%in%persuading%the%user%to%respond.%Historically,%groundSbreaking%research%such%

!

8!

as%that%conducted%by%Stanley%Milgram%in%the%1960s%has%shown%how,%regardless%of%the% severity%of%the%consequences,%people%are%generally%submissive%to%the%instructions%of% an%authority%figure.%Workman%(2007)%demonstrated%that%selfSreport%measures%of% obedience%to%authority%were%predictive%of%response%behaviour%to%a%number%of% simulated%phishing%emails.%Further%to%this,%Guéguen%and%Jacob%(2002)%used%a% simulated%phishing%attack%to%demonstrate%that%participants%were%more%likely%to% respond%to%an%email%asking%them%to%complete%a%survey%when%the%sender%was%a% scientific%researcher%S%labelled%by%the%researchers%as%the%more%authoritative%figure%S%in% comparison%to%the%same%email%when%it%came%from%an%undergraduate%student.%There% may%be%a%number%of%additional%factors%(such%as%history%of%past%messages,%awareness% of%what%to%expect%from%the%sender,%etc.)%that%are%also%influencing%this%decisionS making%process%and%variation%in%response%likelihood,%but%regardless,%the%effect%is% noteworthy.%% %

In%addition,%other%visceral%influences%might%be%manipulated%by%fraudsters%to%

emulate%scarcity%as%a%way%of%increasing%the%persuasive%power%of%an%email.%Such% influences%include%greed%and%fear,%for%example%via%limited%time%offers%of%money,%or% threat%of%loss%(e.g.%access%to%online%accounts,%or%impending%fines)%as%part%of%the%email% message.%Higher%levels%of%visceral%influence%are%thought%to%lead%users%to%overlook%the% importance%of%cues%that%might%otherwise%trigger%suspicion%(Langenderfer%&%Shimp,% 2001).%% %

Although%these%persuasive%techniques%provide%a%partial%explanation%of%why%

some%phishing%emails%are%more%successful%than%others,%they%do%not%explain%how% thousands%of%users%can%receive%the%same%email%and%only%a%small%proportion%respond.%

!

9!

Therefore,%alternative%approaches%that%address%situational%and%individual%differences% between%users%are%discussed%below.%%%% !

!

1.2.2!Situational!factors!affecting!cognitive!processing!! In%a%real%life%scenario,%users%are%often%required%to%manage%emails%whilst%preS occupied%with%other%tasks%or%under%limited%time%constraints,%for%example%in%a%work% environment%where%they%have%deadlines%to%meet,%but%‘urgent’%emails%are%being% received%simultaneously.%Therefore,%this%section%considers%how%individual%cognitive% capacities%and%processing%might%affect%decisionSmaking%in%these%scenarios.%Such% considerations%also%apply%to%behaviour%surrounding%emails%that%emulate%a%sense%of% urgency%on%the%user,%through%the%use%of%tactics%such%as%threat%of%loss,%thus%requiring% an%immediate%response.%% In%these%circumstances%users%will%often%experience%an%impulsive%reaction%to%a% phishing%email,%portrayed%by%the%perpetrator%as%the%rational%response,%when%this%is% actually%a%subSoptimal%decision%(Dong,%Clarke,%&%Jacob,%2008).%In%order%to%avoid%these% poor%decisions,%users%must%engage%rational%decisionSmaking%processes%in%order%to% supress%their%initial%intuition.%Yan%and%Gozu%(2012)%examined%susceptibility%to%email% fraud%by%distinguishing%rational%and%intuitive%decisionSmaking%conditions%in%an%email% legitimacy%task.%Participants%were%told%to%either%give%rapid%responses%upon%a%first%look% at%the%email%(intuitive),%or%told%to%take%their%time,%and%read%the%email%carefully%before% deciding%on%their%final%response%(rational).%In%the%rational%decisionSmaking%condition,% participants%accurately%identified%more%emails%as%scams%than%when%intuitive%decisionS making%was%employed.%Further%to%this,%research%based%on%selfSreports%regarding%the% use%of%rational%and%intuitive%decisionSmaking%strategies%after%receiving%a%simulated%

!

10!

phishing%email%demonstrated%that%higher%reliance%on%rational%processing%predicted% lower%trust%in%the%legitimacy%of%the%email%(Harrison,%Vishwanath,%&%Rao,%2016).%% One%explanation%for%these%findings%could%be%a%dualSsystems%reasoning% approach%to%decisionSmaking.%Such%theories%of%reasoning%(e.g.%Stanovich,%1999;% Kahneman,%2000;%Stanovich%&%West,%2002;%and%Evans,%2003)%propose%two% psychological%systems%for%generating%behavioural%responses,%the%deployment%of% which%depends%on%the%nature%of%the%individual%situation.%System%1%relies%on%intuitive,% immediate,%and%emotional%responses%to%make%decisions.%Sometimes%termed%the% heuristic%approach,%this%approach%to%reasoning%makes%use%of%prior%knowledge%and% experiences%to%make%decisions%in%unfamiliar%situations.%This%allows%decisions%to%be% made%more%rapidly,%with%less%information%processing,%and%thus%is%usually%the% dominant%approach%taken%in%decisionSmaking%scenarios.%On%the%other%hand,%system%2% reasoning%requires%suppressing%the%intuitive%response,%in%order%to%gather%the% necessary%information%to%allow%hypothetical%thinking.%In%taking%a%more%rational% approach,%this%allows%consideration%of%the%future%consequences%of%a%given%behaviour,% thus%allowing%a%more%considered%decision%to%be%made.%However,%this%approach%is% slower,%requiring%greater%attention%and%information%processing,%and%is%therefore%not% employed%as%often.%% The%reliance%on%generalisations%of%prior%knowledge%means%that%system%1% decisions%can%lead%to%systematic%errors%(Tversky%&%Kahneman,%1975),%as% demonstrated%in%the%research%outlined%above%relating%to%email%response%behaviour.% This%is%consistent%with%the%idea%of%such%dualSsystem%approaches%being%employed%in% relation%to%email%management%and%susceptibility,%suggesting%that%users%are%at%higher%

!

11!

risk%of%victimisation%when%they%are%reliant%on%intuitive,%system%1%decisions%about% email%legitimacy.%% %

It%has%been%argued%that%the%ability%to%engage%more%rational,%system%2%

decisionSmaking%strategies%correlates%with%working%memory%capacity%(Kyllonen%&% Christal,%1990;%Markovits,%Doyon,%&%Simoneau,%2002).%Limitations%in%working%memory% capacity%can%affect%a%wide%variety%of%cognitive%situations,%such%as%the%ability%to% maintain%multiple%interpretations%of%ambiguous%sentences%(e.g.%Miyake,%Just,%&% Carpenter,%1994).%By%analogy,%such%limitations%may%make%it%more%difficult%for%a% person%with%lower%working%memory%capacity%to%engage%rational%decisionSmaking% strategies%in%detecting%phishing%emails.%Processing%the%content%of%an%email%whilst% assessing%its%veracity%may%be%cognitively%taxing,%especially%in%situations%where%time%is% limited%or%the%user%is%completing%multiple%tasks%simultaneously.%As%a%result,%users%in% these%situations,%especially%those%with%lower%working%memory%capacity,%may%fall%back% on%impulsive%decisionSmaking%strategies.% An%alternative%explanation%of%those%with%higher%working%memory%capacity% performing%better%under%cognitive%load%may%be%because%they%are%better%able%to% efficiently%divide%attention.%With%the%development%of%modern%technology,%users%are% often%engaged%with%multiple%devices%simultaneously,%working%on%numerous%tasks,% thus%requiring%continual%shifts%in%attention%between%these%(Roda,%2011).%Efforts%to% divide%attention%normally%result%in%effective%distribution%of%the%cognitive%processing% capabilities%required%to%complete%tasks%simultaneously.%However,%under%certain% circumstances,%dividing%attention%can%result%in%erroneous%decisions.%Theories%of% divided%attention%suggest%that%individual%differences,%in%factors%such%as%working% memory%capacity,%as%well%as%situational%factors%can%influence%how%well%a%person%is%

!

12!

able%to%perform%multiple%tasks%at%once%(Kane,%Bleckley,%Conway%&%Engle,%2001).% Colflesh%and%Conway%(2007)%demonstrated%that%participants%with%a%higher%working% memory%capacity%performed%better%on%a%selective%attention,%dichotic%listening%task% (participants%must%concentrate%on%a%task%based%on%an%auditory%stimulus,%whilst% simultaneously%listening%to%another%different%auditory%stimulus)%than%those%with%a% lower%working%memory%capacity.%%In%relation%to%online%decisionSmaking,%it%may%be% that%a%person’s%ability%to%detect%phishing%emails%is,%in%part,%influenced%by%any%other% tasks%requiring%their%attention%at%the%same%time,%combined%with%their%ability%to% effectively%divide%attention.%% In%an%experimental%context,%divided%attention%is%often%measured%using%dualS task%paradigms,%in%which%participants%are%given%a%primary%task%to%complete,%whilst% simultaneously%completing%a%secondary%task%that%adds%to%their%cognitive%load,%such%as% counting%out%loud,%or%remembering%a%letter%string.%More%recent%literature%has%used% these%types%of%tasks%in%applied%setting,%for%example,%looking%at%participants’%attention% to%driving%when%using%a%mobile%phone.%Beede%and%Kass%(2006)%gave%participants%a% simulated%driving%task,%whilst%also%engaging%in%a%conversation%on%a%handsSfree%mobile% device%and%found%that%driving%performance%was%negatively%affected%by%simultaneous% use%of%a%mobile%device.%The%dualStask%paradigm%may%be%transferred%to%situations% involving%email%management,%whereby%a%user%is%often%attempting%to%interleave% between%multiple%tasks.%This%would%provide%evidence%to%establish%whether%dividing% attention,%and%an%inability%to%do%so%effectively,%is%detrimental%to%the%decisionSmaking% process.%% Aside%from%the%situational%influences%on%cognitive%processing,%individual% differences%in%a%construct%such%as%working%memory%capacity%may%affect%the%

!

13!

propensity%of%individuals%to%process%emails%subSoptimally.%That%is,%working%memory% demands%can%vary%by%situation%for%a%person,%but%working%memory%capacity%differs% across%individuals%too%(Conway,%Jarrold,%Kane,%Miyake,%&%Towse,%2007).%In%this%regard,% Cokely%and%Kelley%(2009)%found%that%participants%who%demonstrated%a%higher%working% memory%capacity%were%less%likely%to%engage%in%risk%taking%behaviour,%which%is%likely%to% be%because%they%were%able%to%engage%more%rational%decisionSmaking%strategies%than% those%participants%with%lower%working%memory%spans.%% !

%

1.2.3!Cognitive!makeTup!of!the!user! In%addition%to%working%memory%capacity,%other%psychological%variables%can%be% considered%in%terms%of%how%variability%between%users%acts%as%an%influencing%factor%on% susceptibility.%A%combination%of%relevant%psychological%factors%may%contribute%to%a% sort%of%‘cognitive%profile’,%representative%of%those%users%who%are%most%at%risk%to% online%fraud%victimisation.%Research%has%shown%links%between%working%memory% capacity%and%inhibition%(Engle,%1996;%Redick,%Heitz,%&%Engle,%2007),%demonstrating% that%lower%working%memory%capacity%relates%to%impaired%performance%in%tasks% measuring%inhibition,%such%as%the%Flanker%task%(Redick%&%Engle,%2006).%Inhibition% describes%a%cognitive%function%requiring%suppression%of%surrounding%information%to% allow%a%person%to%successfully%complete%the%task%in%question.%In%relation%to%email% management,%increased%inhibitory%capacity%would%allow%a%user%to%suppress%their% intuitive%response%to%a%phishing%email,%in%order%to%contemplate%all%cues%available%to% them%and%make%a%more%informed%decision.%This%relates%back%to%the%dualSsystems% theories%of%reasoning%described%above,%with%inhibitory%capacity%improving%ability%to%

!

14!

engage%more%rational%decisionSmaking%processes,%as%demonstrated%with%working% memory%capacity.% A%further%variable,%cognitive%reflection%(Frederick,%2005),%describes%ability%to% reflect%upon%a%problem%in%order%to%engage%rational%decisionSmaking%and%reach%a%more% accurate,%reasoned%decision,%rather%than%relying%upon%an%intuitive%response.%There% are%clear%parallels%between%this%and%inhibitory%capacity%in%explaining%behavioural% responses%during%decisionSmaking.%When%considered%in%relation%to%email% management,%users%with%higher%levels%of%cognitive%reflection%may%be%better%at% recognising%more%subtle%cues%to%deception%through%rational%contemplation,%and%thus% reduce%their%susceptibility.%However,%some%evidence%has%demonstrated%a%link% between%cognitive%reflection%and%risk%preferences%–%with%participants%who%have% higher%levels%of%cognitive%reflection%being%more%likely%to%take%a%calculated%risk%in%a% gambling%task%in%order%to%achieve%a%larger%pay%out%at%a%later%date,%rather%than%taking% the%immediate,%smaller%pay%out.%This%may%mean%that%those%users%who%have%higher% levels%of%cognitive%reflection%would%be%more%likely%to%rationalise%the%risk%involved%with% responding%to%a%phishing%email,%thus%increasing%their%response%likelihood.% Other%research%looking%at%decisions%surrounding%risk%using%gambling%/%risk%payS off%scenarios%has%directly%considered%the%relevance%of%dualSsystem%theories%of% reasoning%in%this%scenario%(e.g.%Brand,%Heinze,%Labudda,%&%Markowitsch,%2008;% Porcelli%&%Delgado,%2009).%There%are%strong%parallels%between%these%types%of% gambling%tasks%and%fraud%detection.%The%prevalent%methodologies%all%rely%on%the% same%basic%principle%of%exploring%whether%people%would%take%a%gamble%or%not.%In% employing%intuitive%decisionSmaking%processes,%a%person%would%likely%choose%the% option%which%gave%them%the%biggest%reward,%rather%than%thinking%through%the%

!

15!

decision%in%terms%of%the%long%term%benefits%or%risks.%If%the%same%processes%are%in%fact% employed%in%email%decisionSmaking,%then%it%is%likely%that%psychological%variables% found%to%influence%risky%decisionSmaking%in%these%gambling%scenarios%will%also% influence%decisions%surrounding%email%management%(e.g.%sensation%seeking:%Hoyle,% Stephenson,%Palmgreen,%Lorch,%&%Donohew,%2002).% Previous%research%looking%specifically%at%fraud%victimisation%has%considered% personality%and%selfScontrol%as%indicators%of%susceptibility.%Modic%and%Lea%(2011)% demonstrated%that%higher%levels%of%agreeableness%and%lower%levels%of%extraversion,% measured%using%the%International%Personality%Item%Pool%(IPIP;%Goldberg,%1999),%were% associated%with%higher%levels%of%susceptibility%to%fraud%victimisation,%as%measured%by% selfSreports%of%past%behaviour.%They%suggest%that%users%who%show%higher%levels%of% agreeableness%are%likely%to%be%more%trusting%generally%and%so%believe%what%they%are% told%by%those%they%are%communicating%with%online,%whilst%those%who%show%lower% levels%of%extraversion%are%likely%to%seek%and%build%stronger%relationships%online%than% they%are%in%person%as%they%are%not%as%comfortable%in%offline%social%situations,%which% again%may%lead%them%to%be%more%trusting%of%people%who%they%are%interacting%with% online.%% %

In%an%adaptation%of%Gottfredson%and%HIrschi’s%selfScontrol%theory%(1990),%

Schreck%(1999)%suggests%that%low%selfScontrol%is%a%strong%predictor%of%crime% victimisation.%Although%this%theory%relates%more%broadly%to%all%types%of%victimisation,% elements%of%Schreck’s%explanation%of%this%theory%relate%clearly%to%fraud.%In%parallel% with%theories%of%dualSsystem%reasoning%(discussed%above),%it%is%suggested%that%victims% engage%in%intuitive,%rather%than%rational,%decisionSmaking%processes,%with%no% consideration%for%the%negative%consequences%of%their%actions.%Instead%the%decision%is%

!

16!

based%on%the%proximity%of%gain%or%loss.%Further,%Schreck%proposes%that%those%with% lower%selfScontrol%demonstrate%less%diligence%in%terms%of%security%related%behaviour,% thus%leaving%themselves%more%at%risk.%This%theory%has%been%applied%to%fraud% victimisation%S%with%lower%levels%of%selfScontrol%found%to%relate%to%fraud%susceptibility% based%on%response%to%a%set%of%hypothetical%written%scenarios%(Holtfreter,%Reisig,% Piquero,%&%Piquero,%2010).%In%addition,%research%looking%at%victims%of%internet% consumer%fraud%(i.e.%paying%for%an%item%online%that%never%arrived),%based%on%selfS reports%of%victimisation,%demonstrated%that%participants%with%lower%selfScontrol%were% more%likely%to%have%been%victimised%(van%Wilsem,%2013).%This%study%focuses%on%one% specific%online%fraud%scenario%though,%and%so%there%is%no%evidence%as%yet%that%this%can% be%generalised%to%responses%to%phishing%emails.%% %

The%research%highlighted%in%this%section%demonstrates%a%number%of%potential%

links%between%cognitive%variables%and%the%decisionSmaking%process%surrounding%fraud% victimisation.%In%the%thesis,%these%cognitive%variables,%including%those%from%broader% research%such%as%that%on%risky%decisionSmaking%and%working%memory%capacity,%will%be% assessed%in%terms%of%their%relationship%with%susceptibility.%% % 1.3!Measuring!susceptibility!

!

Whilst%the%psychological%constructs%considered%above%in%relation%to% susceptibility,%such%as%personality,%selfScontrol,%and%working%memory,%can%be% assessing%using%reliable,%wellSspecified%measures,%and%the%persuasive%techniques% manipulated%through%content%shown%to%participants,%the%methods%used%so%far%to% assess%susceptibility%are%less%clearScut.%The%following%discussion%outlines%four%key% methodologies%that%have%been%used%to%date%in%research%surrounding%email%decisionS

!

17!

making,%each%of%which%has%practical%benefits.%However,%none%have%been%extensively% replicated%to%assess%reliability%or%validity.%Therefore,%the%benefits%and%limitations%of% each%will%be%considered%in%contemplation%of%assessing%susceptibility%in%the%thesis.% ! 1.3.1!Scale!measures!! The%Human%Aspects%of%Information%Security%Questionnaire%(HAISSQ;%Parsons,% McCormac,%Butavicius,%Pattinson,%&%Jerram,%2014)%measures%the%extent%to%which% individuals%are%at%risk%from%security%threats,%based%on%the%interactions%between%their% knowledge%of%policy%and%procedures,%attitude%towards%these,%and%computer% behaviour.%Although%designed%to%cover%a%broad%spectrum%of%security%threats%such%as% password%management%and%social%networking%use,%this%questionnaire%does%include% questions%about%email%behaviours,%including%distributing%emails%and%opening% attachments.%The%scale%was%reported%to%have%good%internal%consistency%and%testS retest%reliability%(McCormac,%et%al.,%2016),%although%no%measures%have%yet%been% reported%on%the%ecological%validity%in%relation%to%how%well%the%questionnaire% measures%actual%information%security%behaviour.%% Modic%and%Anderson%(2014)%have%recently%developed%a%selfSreport%scale% measure%of%susceptibility%to%persuasion,%which%is%linked%more%directly%to%behaviour% surrounding%email%management.%This%incorporates%psychological%mechanisms%from%a% range%of%contexts,%with%a%focus%on%measuring%factors%that%influence%scam%compliance,% such%as%social%influence,%sensation%seeking,%selfScontrol,%and%risk%preferences.% Example%items%from%the%scale%include:%‘It*is*important*to*me*that*those*who*know*me* can*predict*what*I*will*do’,%‘I*have*a*hard*time*breaking*bad*habits’,%and%‘In*general,*I* work*better*when*I’m*under*pressure’.%Validity%testing%on%an%earlier%version%of%the%

!

18!

scale%(Modic%&%Lea,%2013)%found%the%factors%measured%in%the%scale,%such%as%selfS control%and%sensation%seeking,%were%all%related%to%susceptibility%as%measured%by%selfS reported%compliance%to%a%set%of%written%scenarios.%However,%since%developing%the% second%version%of%the%scale,%and%including%a%number%of%added%variables,%this%validity% testing%does%not%seem%to%have%been%repeated%so%we%cannot%know%for%sure%the%extent% to%which%this%updated%scale%is%actually%measuring%susceptibility.%% Both%of%these%measures%were%developed%after%the%current%thesis%was% designed,%and%so%were%not%incorporated%to%assess%susceptibility.%With%further% development%and%validity%testing,%they%do%offer%an%ethically%sound%alternative% methodology%for%future%research%though.%However,%as%with%all%selfSreport%measures,% these%scales%may%be%subject%to%demand%characteristics,%i.e.%the%participant%responds% to%the%scale%in%a%way%that%they%think%is%socially%desirable%rather%than%responding% truthfully%(Nederhof,%1985;%Paulhus,%1991;%King%&%Bruner,%2000).%Therefore,%validity% testing%would%need%to%ensure%that%the%scale%measures%were%predictive%of%actual% behavioural%response%to%email%attacks,%rather%than%selfSreported%victimisation,%before% these%could%be%considered%as%an%alternative%to%behavioural%measures,%such%as%those% described%below.%% % 1.3.2!Email!legitimacy!tasks! A%more%commonly%used%measure%of%susceptibility%involves%asking%participants% to%rate%their%likelihood%to%respond%in%given%situations.%This%method%has%been%used%in% research%looking%at%both%online%and%offline%fraud%(e.g.%Holtfreter%et%al.,%2010),%but%this% section%will%focus%on%those%studies%that%have%investigated%email%fraud.%%

!

19!

%

Yan%and%Gozu%(2012)%used%this%method%with%email%screenshots,%showing%

participants%either%the%subject%line%of%an%email%or%the%entire%body%of%text,%as%a% measure%of%the%importance%of%availability%of%information.%Overall,%there%were%36% emails%in%this%task,%all%of%which%were%genuine%examples%of%unsolicited%phishing%emails.% Participants%were%asked%to%report%whether%they%would%‘read’%or%‘delete’%each%email.% Results%demonstrated%that%participants%reported%they%would%‘delete’%significantly% more%emails%when%they%were%shown%the%entire%body%of%text,%as%opposed%to%when% they%saw%only%the%subject%line%of%an%email,%demonstrating%the%importance%of% considering%all%available%information%when%managing%emails.%Such%tasks%provide%an% arguably%more%valid%measure%of%susceptibility%than%the%questionnaire%approach,%as% they%measure%actual%behaviour,%although%this%behaviour%is%still%laboratory%based.% Participants%may%not%be%interacting%with%the%emails%in%the%same%way%as%they%would% were%they%to%receive%the%given%emails%to%their%own%inbox.%In%addition,%Yan%and%Gozu’s% task%uses%only%phishing%emails%as%stimuli,%which%may%influence%participants’% responses.%To%the%extent%that%participants%expect%to%differentiate%between%a%mixture% of%phishing%and%legitimate%emails%when%they%are%given%a%forcedSchoice%task,%decisions% may%show%an%expectancy%bias.%Further%to%this,%the%binary%response%choice%of%‘read’%or% ‘delete’%does%not%necessarily%reflect%the%range%of%attitudes%or%beliefs%a%user%could% have%concerning%an%email.%Choosing%to%read%an%email%does%not%necessarily% demonstrate%susceptibility%as%the%user%might%then%disregard%the%email.%Adaptations% of%this%task%to%include%legitimate%emails%and%more%response%options%may%provide%a% more%accurate%measure%of%email%management%behaviour,%as%participants%would%be% discriminating%phishing%from%legitimate%emails,%as%in%their%own%inbox.%

!

20!

%

One%additional%limitation%of%a%forcedSchoice%email%task%such%as%that%employed%

by%Yan%and%Gozu%(2012)%is%that%participants%are%actively%seeking%to%distinguish% between%phishing%and%legitimate%emails,%which%they%are%not%doing%in%dayStoSday% email%management.%Parsons%et%al.%(2013)%reported%that%participants%performed% better%in%an%email%judgment%task%when%they%were%forewarned%about%the%nature%of% the%research.%This%suggests%that%participants%may%perform%with%higher%accuracy%when% actively%seeking%to%recognise%phishing%emails.%% Variations%on%this%type%of%methodology%have%attempted%to%address%this%issue% through%the%use%of%roleSplay%scenarios,%in%which%participants%are%asked%to%access%the% account%of%a%fictional%character%and%report%how%they%would%deal%with%a%number%of% emails%in%the%inbox%of%this%account.%Downs,%Holbrook,%and%Cranor%(2007)%employed% this%method%when%assessing%how%knowledge%of%cues,%such%as%security%icons,%affected% phishing%susceptibility.%Participants,%in%the%role%of%the%fictional%‘Pat%Jones’%were%asked% how%they%would%respond%to%a%set%of%five%emails,%each%of%which%contained%a%URL%link%S with%no%mention%that%the%study%looked%at%ability%to%detect%phishing%emails.%Possible% response%options%for%each%email%included,%‘reply*by*email’,%‘click*on*the*link’,%and% ‘type*the*URL*into*a*browser*window’.%Those%who%indicated%that%they%would%click%on% the%link%were%then%shown%the%associated%webpage%and%asked%how%they%would% respond%faced%with%this.%Participants%who%could%correctly%define%‘phishing’%and% recognised%incorrect%security%lock%images%showed%lower%susceptibility%to%phishing,% whilst%knowledge%of%other%risks%such%as%spyware%and%viruses%did%not%affect% susceptibility.%This%type%of%task%is%informative%in%the%sense%that%it%can%assess% susceptibility%in%a%controlled%environment%whilst%not%alerting%participants%to%the% nature%of%the%task,%thus%reducing%expectancy%effects%(Parsons%et%al.,%2013).%However,%

!

21!

the%way%in%which%this%specific%task%was%constructed%may%still%have%prompted%socially% desirable%responses.%For%example%when%given%the%option%‘type*the*URL*into*a*browser* window’,%this%may%alert%participants%that%this%is%the%most%sensible%option%compared%to% the%other%options%such%as%‘click*on*the*link’.%% Hong%et%al.%(2013)%employed%a%similar%methodology,%with%participants%taking% on%the%role%of%‘Bob%Jones’%and%being%asked%to%categorise%14%emails%messages,%of% which%9%were%illegitimate.%Two%response%options%were%available%–%marking%the%email% as%important,%or%deleting%the%email.%This%study%identified%trust,%extraversion,%and% openness%as%factors%correlated%with%likelihood%to%delete%legitimate%emails.%However,% no%significant%findings%were%reported%in%relation%to%psychological%constructs%and% responses%to%the%phishing%email%stimuli.%In%this%study,%the%majority%of%the%email% stimuli%were%designed%to%be%illegitimate,%which%is%not%representative%of%a%real%inbox% and%may%generate%some%bias%in%how%participants%respond.%In%addition,%the%binary% nature%of%the%response%options%generates%the%same%problem%as%Yan%and%Gozu’s% study.%The%categories%are%very%broad%and%marking%an%email%as%‘important’%does%not% necessarily%demonstrate%susceptibility.%% These%email%legitimacy%tasks%may%also%be%limited%in%the%emulation%of%threat%to% the%participants,%as%there%is%nothing%to%risk%in%their%participation.%If%participants%were% to%judge%these%emails%in%their%own%inboxes%then%it%would%be%their%personal% information%or%money%at%stake%if%they%chose%to%reply,%whereas%in%the%lab%situation,% participants%have%nothing%to%lose%whether%they%perform%well%or%not.%In%order%to% encourage%participants%to%perform%realistically,%it%would%be%necessary%to%provide% them%with%some%incentive%to%perform%well.%This%may%encourage%participants%to%put% more%effort%into%the%task,%although%the%level%of%risk%still%does%not%mirror%that%faced%

!

22!

when%managing%phishing%emails%in%real%life.%As%yet,%there%is%no%evidence%to%suggest% how%much%this%affects%study%validity.%% Although%there%are%still%some%unanswered%questions%in%relation%to%how% ecologically%valid%email%legitimacy%tasks%are%as%a%measure%of%susceptibility,%these%do% provide%an%ethically%sound%method%for%assessing%how%well%users%can%distinguish% between%a%set%of%phishing%and%legitimate%emails.%This%design%allows%for%assessment%of% a%variety%of%email%types,%as%well%as%providing%the%controlled%environment%necessary% for%manipulating%other%variables%of%interest.%Examples%include%time%pressure%and% completion%of%simultaneous%tasks,%which%allow%for%the%assessment%of%situational% predictors%of%performance%on%the%email%task.%To%date,%research%has%not%considered% how%this%type%of%task%relates%to%real%world%susceptibility,%but%if%a%strong%correlation% were%demonstrated%between%accuracy%on%email%legitimacy%tasks%and%susceptibility%on% more%ecologically%valid%measures%of%susceptibility,%this%would%imply%that%these%tasks% could%act%as%a%complementary%alternative%to%more%ethically%restricted%and%timeS consuming%methodologies.%% % 1.3.3!Working!with!past!victims! Modic%and%Lea%(2011)%used%an%alternative%to%the%judgment%tasks%above,%by% asking%participants%whether%they%had%ever%responded%to%each%of%a%set%of%fraudulent% scenarios%outlined%in%written%descriptions.%Data%from%those%participants%who% reported%responding%to%a%fraudulent%communication%in%the%past%were%used%in%further% analysis.%Of%506%participants%that%were%screened,%only%67%claimed%to%have%responded,% meaning%that%the%sample%size%used%in%the%remainder%of%the%analysis%was%drastically% reduced.%In%this%study,%reports%of%victimisation%were%limited%to%the%written%scenarios%

!

23!

given%to%participants.%Whilst%these%cover%a%range%of%scam%types,%the%list%is%not% comprehensive,%and%interpretation%of%the%scenarios%described%may%differ%between% participants.%Therefore,%the%scenarios%may%underestimate%victimisation,%with%some% participants%being%victims%of%fraudulent%communications%that%do%not%fit%into%any%of% the%scenarios%described.%% Whitty%and%Buchanan%(2012)%recruited%victims%of%romance%scams%in%order%to% compare%performance%measures%of%loneliness,%extraversion,%agreeableness,% neuroticism,%romantic%beliefs,%and%sensation%seeking,%between%them%and%a%control% group%to%establish%differences.%The%only%significant%finding%in%this%study%was%that% victims%were%more%inclined%to%idealise%romantic%partners.%This%work%looks%solely%at% victims%of%online%romance%scams%though,%which%is%a%specific%focus%and%it%cannot%be% assumed%that%findings%would%generalise%to%victims%of%other%types%of%scams%online.%% Shadel%and%Pak%(2007)%also%worked%with%past%victims,%looking%at%differences%in% demographic,%and%psychological%characteristics%S%such%as%impulsivity,%selfSreliance,% and%optimism%S%between%offline%fraud%victims%and%a%control%group.%These%victims% were%grouped%depending%on%the%type%of%fraud%perpetrated,%in%this%case%either%lottery,% or%investment%victims.%Some%differences%were%found%between%the%victim%and%the% control%groups%on%the%psychological%measures.%For%example,%lottery%victims%were% found%to%demonstrate%higher%impulsivity%than%both%investment%victims%and%the% control%group,%whilst%the%victim%group%as%a%whole%demonstrated%more%selfSreliance% than%the%control%group.%However,%each%of%the%variables%discussed%in%this%study%was% only%measured%by%one%question,%meaning%that%its%accuracy%in%assessing%psychological% variables%may%be%fairly%limited.%%

!

24!

On%one%hand,%past%victims%form%a%sample%population%who%have%selfSevidently% demonstrated%susceptibility%to%online%fraud%attempts%in%a%realSworld%setting.% However,%there%are%still%a%number%of%challenges%faced%in%using%such%a%sample%for%this% kind%of%research.%One%of%these%is%that%fraud%victimisation%is%a%quasiSexperimental% variable;%such%individuals%have%not%been%assigned%at%random%to%a%‘victim’%group,% meaning%that%the%contextual%circumstances%surrounding%their%victimisation%need%to% be%established.%Being%a%past%event%outside%of%experimental%control,%this%can%be% difficult%as%gathering%this%information%is%reliant%upon%the%victim’s%own%recall%of%the% event.%The%likelihood%of%a%victim%being%able%to%recall%the%situation%they%were%in%or% external%constraints%on%them%upon%receiving%the%email%and%as%a%consequence%of% reading%it%–%were%they%tired,%distracted,%busy%–%is%minimal.%The%reliance%on%selfS reported%information%about%situational%factors%affecting%susceptibility%means%that% validity%is%limited.%It%is%also%possible%that%the%individual%who%has%been%a%victim%will% have%changed%as%a%result%of%the%incident%in%terms%of%their%cognitive%makeSup;%after%all,% they%may%have%been%financially%ruined,%or%they%may%be%embarrassed%by%what%now% appears%to%them%to%be%a%demonstration%of%gullibility.%They%may%also%have%read%about% the%scam%or%other%similar%scams,%and%may%have%been%part%of%training%programmes% with%respect%to%online%security.%As%a%result,%the%responses%they%give%to%questions%and% psychological%measures%may%differ%from%the%way%they%would%have%responded%prior%to% victimisation.%% In%addition,%this%method%relies%on%the%researcher’s%ability%to%establish%a% comparable%control%group%so%that%differences%can%be%measured%between%the% susceptible%group%and%a%group%of%users%who%do%not%demonstrate%susceptibility.%This% may%prove%challenging%for%a%number%of%reasons%–%the%most%significant%being%

!

25!

establishing%who%is%not%susceptible.%It%may%be%the%case%that%a%user%has%never% responded%to%a%fraudulent%email%communication,%but%this%may%be%because%they%have% not%received%a%sufficiently%convincing%phishing%email.%Matching%control%group% participants%and%past%victims%on%their%demographic%characteristics%(age,%gender,% educational%background),%internet%experience,%and%email%usage%habits%would%go% some%way%to%ensure%a%comparable%sample.%However,%it%is%not%realistic%to%establish%the% exact%emails%which%participants%have%received%in%their%time%as%internet%users,%so%is%not% possible%to%know%whether%members%of%the%control%group%are%less%susceptible%or% whether%they%have%simply%not%received%the%same%phishing%emails%as%victims.%% Finally,%it%is%important%to%consider%how%the%method%of%recruitment%for%work% with%past%victims%may%influence%the%validity%of%the%data.%Cybercrime%goes%heavily% underreported,%with%substantially%lower%reporting%rates%than%other%crimes%(Copes,% Kerley,%Mason,%&%Van%Wyk,%2001),%so%there%may%be%some%bias%in%the%sample%of% victims%who%are%willing%to%participate%in%research%relating%to%their%experiences.%Some% may%not%report%their%victimisation%due%to%embarrassment%or%lack%of%belief%that%it%will% help%in%any%way,%so%it%is%unlikely%that%these%people%would%be%willing%to%discuss%their% experiences%with%a%researcher%either.%There%are%also%ethical%considerations%in%working% with%those%victims%who%have%reported%their%victimisation,%as%this%is%a%sensitive%and% traumatic%experience%for%some.%Reliving%the%experience%may%be%difficult%and%as%a% result,%a%sample%of%past%victims%who%choose%to%volunteer%to%take%part%in%research%on% the%topic%may%not%be%representative%of%all%victims%–%as%those%who%have%been%affected% more%severely%may%be%less%willing%to%participate.%% !!!

!

26!

1.3.4!Simulated!phishing!attacks!! The%most%ecologically%valid,%and%yet%ethically%restricted%method%for%assessing% susceptibility%is%to%simulate%a%genuine%phishing%attack%by%sending%a%fake%phishing% email%to%participants%and%recording%whether%or%not%they%respond.%Such%an%approach% addresses%a%number%of%the%limitations%outlined%with%other%methods%of%measuring% susceptibility%discussed%above.%A%number%of%studies%have%used%this%methodology%to% measure%real%world%susceptibility.%Wright%and%Marett%(2010)%measured%the% importance%of%different%behavioural%factors%to%recipients’%likelihood%to%respond%to%a% simulated%phishing%email.%In%this%study,%participants%signed%up%to%take%part%in%research% with%the%generic%title%‘security%research’%and%were%then%given%a%unique%ID%code,%which% they%were%told%was%to%be%used%to%access%course%materials,%assessments,%and%grades.% These%students%then%studied%a%module%on%internet%security%and%privacy%as%part%of% their%course,%and%completed%a%number%of%questionnaires%assessing%web%experience% and%risk%taking%behaviour.%After%this,%the%simulated%phishing%attack%occurred,%asking% students%to%disclose%their%unique%ID%code%due%to%lost%information%within%the% information%technology%database.%Of%the%299%participants%included%in%the%final% analyses,%32%%of%these%responded%to%the%email%and%it%was%reported%that%success%of% the%phishing%attack%was%related%to%less%web%experience,%less%security%knowledge,%less% suspicion%of%humanity,%and%lower%computer%selfSefficacy.%% Although%participants%in%this%study%were%not%told%explicitly%about%the%phishing% attack%that%would%occur,%they%gave%consent%to%take%part%in%‘security%research’.% Therefore,%they%may%have%been%more%suspicious%of%an%email%coming%into%their%inbox,% knowing%that%it%may%be%part%of%the%research.%Preliminary%evidence%from%an% undergraduate%student%project%at%Lancaster%University%demonstrated%that%when%

!

27!

participants%were%forewarned%that%they%might%receive%a%phishing%email%as%part%of%the% experiment,%their%response%likelihood%to%a%simulated%attack%was%lower%(Mack,%2014).% In%addition,%the%completion%of%a%module%on%internet%security%and%privacy%means%that% participants%in%Wright%and%Marett’s%study%would%have%been%more%aware%of%security% risks,%having%just%studied%them.%The%role%of%information%about%the%existence%of%such% threats%is%not%simple%though,%with%some%evidence%to%suggest%that%domainSspecific% experience%and%knowledge%of%cues%to%legitimacy%does%not%always%reduce% susceptibility%(Downs,%Holbrook,%&%Cranor,%2006;%Vishwanath%et%al.,%2011)%% %

Guéguen%and%Jacob%(2002)%also%used%a%simulated%attack,%to%measure%the%

influence%of%the%authority%level%of%the%sender%on%likelihood%to%respond.%An%email% containing%a%HTML%form%for%a%survey%on%food%habits%was%sent%to%two%samples%–% students%at%a%university,%and%users%who%were%listed%on%internet%software%designed%to% procure%lists%of%email%addresses.%Emails%that%purported%to%come%from%a%scientific% researcher%(deemed%to%be%of%higher%authority)%gained%a%higher%response%rate%than% those%purporting%to%come%from%an%undergraduate%student.%% A%further%example%comes%from%Jagatic%et%al.%(2005),%who%used%a%simulated% attack%on%University%students%in%their%research%assessing%the%influence%of%familiarity% on%response%likelihood.%They%found%a%significantly%higher%response%rate%to%the%emails% that%purported%to%come%from%senders%familiar%to%the%participant.%For%this%study,% Jagatic%et%al.%used%social%networking%information%publicly%available%on%the%internet% about%participants%to%generate%the%‘familiar’%senders.%Although%this%information%is% freely%available%online,%some%participants%may%have%been%uncomfortable%with%this% being%gathered%and%used%for%research%purposes.%Finn%and%Jakobsson%(2007)%report% that%this%study%received%30%complaints%from%over%1700%participants,%and%7%requested%

!

28!

their%data%be%removed.%Although%these%numbers%seem%relatively%low,%given%the%large% sample%size,%upset%from%any%number%of%participants%should%be%taken%into%account%in% the%consideration%of%developing%measures%of%susceptibility%to%be%used%in%the%future.%It% is%also%worth%noting%that%there%may%have%been%other%participants%who%were%also% unhappy%or%distressed%following%the%study,%but%did%not%raise%a%formal%complaint%with% the%researchers.% Although%the%use%of%simulated%phishing%attacks%allows%assessment%of%realS world%susceptibility,%a%number%of%limitations%may%restrict%the%interpretation%of% results.%The%content%and%the%context%of%the%emails%is%very%important%to%response% likelihood,%as%discussed%previously%with%regard%to%persuasive%techniques%employed%by% senders%and%situational%factors%that%affect%decisionSmaking%processes.%Whilst%the% content%of%the%simulated%emails%can%be%manipulated,%the%context%in%which%it%is% received%cannot.%This%means%that,%similar%to%working%with%past%victims,%any%data% about%situational%predictors%of%susceptibility%is%reliant%on%selfSreport%measures.% Further%to%this,%the%effect%of%different%persuasive%techniques%employed%in%phishing% emails,%as%discussed%above,%may%differ%between%individuals.%Although%emails%can%be% designed%to%emulate%specific%persuasive%techniques,%delivering%only%one%email%to%a% participant%cannot%capture%all%aspects%of%susceptibility.%Rather%it%focuses%on%users% who%are%susceptible%to%the%specific%techniques%used%in%that%example.%The%only%way%to% deal%with%this%limitation%would%be%to%send%multiple%emails%using%different%techniques% to%the%same%users,%but%from%a%practical%viewpoint%this%is%not%effective,%as%participants% would%undoubtedly%become%suspicious%and%be%less%likely%to%respond%upon%receipt%of% numerous%simulated%emails.%%

!

29!

Finally,%the%ethical%constraints%of%a%simulated%phishing%attack%must%be% considered.%In%sending%out%simulated%phishing%attacks,%researchers%must%be%sensitive% to%the%embarrassment%and%upset%that%may%be%caused%by%a%participant’s%decision%to% respond,%in%the%same%way%as%working%with%past%victims.%Further%to%this,%the%deception% required%to%obtain%personal%information%to%conduct%an%attack%without%consent%may% be%considered%as%an%invasion%of%privacy.%In%summary,%although%it%is%the%most% ecologically%valid%measure,%providing%a%realSworld%assessment%of%susceptibility,%a% simulated%phishing%attack%compromises%the%experimental%control%gained%in%a%labS based%environment.%Therefore,%the%most%appropriate%methodology%may%depend% upon%the%factors%being%assessed%in%a%specific%experiment,%dependent%on%the%level%of% control%and%experimental%manipulation%required.%% ! 1.4!Overview!of!the!thesis! !

Through%a%number%of%experiments,%this%thesis%aims%to%develop%an%

understanding%of%individual%differences%in%susceptibility%to%online%fraud%victimisation.% Building%on%previous%research,%the%three%theoretical%strands%outlined%in%Figure%1.1%will% be%considered%both%independently%and%together%in%order%to%understand%how%these% interact%to%influence%susceptibility.%The%methodological%considerations%outlined% above%are%also%taken%into%account%throughout,%with%a%mixed%methods%approach%to% measuring%susceptibility%across%the%different%experiments.%% Study%1%describes%a%number%of%focus%group%discussions,%aimed%to%gather% qualitative%data%on%awareness%of%email%fraud,%and%of%persuasive%techniques% employed%by%the%fraudsters.%Studies%2%and%2a%provide%exploratory%data%about%user% awareness%and%experience%of%email%fraud.%Further%to%this,%Study%2a%introduces%a%small%

!

30!

set%of%email%stimuli,%with%participants%asked%to%judge%the%legitimacy%of%each.%This% provided%some%initial%data%on%the%stimuli%to%be%used%later%in%the%thesis.%% Study%3%introduces%these%stimuli%in%a%more%extensive%email%legitimacy%task,%as% a%measure%of%susceptibility,%and%assesses%this%in%relation%to%a%battery%of%cognitive% tasks%in%order%to%begin%building%a%profile%of%the%most%atSrisk%users.%This%study%also% considered%how%an%induced%time%pressure%on%the%email%task%affects%the%decisionS making%process.%In%Study%4,%an%adaptation%of%the%email%legitimacy%task%assesses%how% varying%the%proportion%of%phishing%and%legitimate%emails%in%the%stimuli%set%(with% majority%legitimate%emails%being%more%representative%of%a%genuine%inbox)%affects% performance,%and%the%predictive%nature%of%the%cognitive%variables%outlined%in%Study%3.% Study%4a%assesses%the%reliability%of%this%varied%proportions%version%of%the%email% legitimacy%task,%as%this%was%a%novel%task%developed%for%the%purpose%of%this%thesis%and% therefore%has%not%been%previously%tested.%Study%5%employs%a%thinkSaloud%protocol%to% gain%more%insights%into%the%cues%used%by%participants,%and%the%persuasive%techniques% they%are%aware%of,%in%identifying%phishing%emails%during%the%email%legitimacy%task.% This%also%allows%for%qualitative%evidence%to%be%gathered%demonstrating%the%presence% of%the%cognitive%predictors%outlined%in%Study%3.%Study%6%also%uses%the%email%legitimacy% task,%but%includes%secondary%tasks%to%be%completed%simultaneously.%In%emulating%a% situation%where%a%user%has%multiple%tasks%to%complete%at%once,%this%study% demonstrates%how%increased%cognitive%load%can%affect%the%decisionSmaking%process% when%assessing%email%legitimacy.%% Finally,%Study%7%outlines%an%alternative%methodology%for%assessing% susceptibility.%In%this%study%an%office%simulation%was%designed,%whereby%participants% were%naïve%to%the%nature%of%the%study,%and%completed%a%number%of%office%based%tasks,%

!

31!

including%email%management.%A%number%of%emails%were%sent%over%the%duration%of%the% simulation,%some%designed%to%emulate%phishing%emails,%and%response%likelihood%to% these%was%recorded.%The%cognitive%variables%outlined%as%predictive%in%Study%3%were% also%included%in%this%experiment,%to%assess%whether%findings%were%replicated%with%a% more%ecologically%valid%measure%of%susceptibility.%Chapter%9%provides%an%overview%of% the%findings%from%these%experiments,%as%well%as%a%comprehensive%discussion%of%the% theoretical%and%practical%implications%of%these.%%% ! ! !

! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! !

32!

! ! ! ! ! !

Chapter(2! Exploring!personal!experience!and!! understanding!of!fraud!

! ! !

Chapter!summary!

%This% chapter% reports% findings% from% three% initial% exploratory% experiments,% which% aimed% to% elicit% insight% on% participants’% personal% experiences% of% fraud.% Study% one% describes% qualitative% data% from% a% number% of% focus% group% discussions,% which% highlight% a% limited% understanding% of% more% sophisticated% phishing% attacks% and% a% tendency% to% rely% on% outSdated% cues% in% spotting% fraud.% Study% two% provides% further% insight% into% the% cues% employed% in% recognising% email% fraud,% with% data% from% two% distinct%age%groups%–%prospective%students%and%their%parents%at%University%open%days.% Study%2a%reports%further%data%about%personal%experience%of%fraud,%and%also%pilots%a% set%of%email%stimuli%for%use%later%in%the%thesis.%The%exploratory%data%collected%in%these% studies%provide%grounding%for%further%research%to%understand%why%there%are%apparent% differences% in% the% way% users% respond% to% phishing% emails,% and% how% this% information% might%be%utilised%to%reduce%susceptibility.% !

!

! 33!

2.1!Introduction! %

Shocking%statistics%about%victimisation%and%monetary%loss%are%commonplace%in%

adverts%and%warning%notices%regarding%online%fraud;%however%there%is%little%research% that%considers%the%personal%experiences%of%every%day%users%or%how%effective%media% warnings%are.%This%chapter%reports%two%initial%studies%about%just%that%–%asking%users% about%their%experience%of%fraud%in%both%online%and%offline%scenarios,%as%well%as%more% in%depth%information%about%the%cues%that%they%use%to%detect%deceptive% communications.%In%order%to%understand%how%best%to%tackle%the%issue%of%online%fraud% susceptibility,%it%is%important%to%understand%how%users%manage%their%emails%on%a%daily% basis%and%how%familiar%they%are%with%the%issues%they%face%regarding%online%security.%In% a%relatively%new%area%of%research%interest,%exploratory%analysis%such%as%that%described% in%this%chapter%provides%a%valuable%insight%into%how%the%topic%should%best%be% approached%in%a%way%that%can%directly%help%the%user%and%work%towards%reducing% susceptibility.%% %

In%Study%1,%a%short%questionnaire%was%constructed,%incorporating%both%

multiple%choice%and%openSended%questions,%to%gain%information%about%whether% participants%had%experienced%fraud%in%both%online%and%offline%environments,%and% about%the%cues%that%allowed%them%to%recognise%(or%not%recognise)%the%fraudulent% nature%of%the%communication.%In%addition,%this%questionnaire%included%measures%of% selfScontrol%and%cognitive%reflection%to%examine%the%relationship%between%these%and% participants’%history%of%responding%to%fraudulent%communications.%These%variables% will%be%explored%in%more%detail%later%in%the%thesis,%but%were%included%here%to%provide% an%insight%into%their%relationship%with%selfSreported%victimisation.%Holtfreter%et%al.% (2010)%reported%lower%levels%of%selfScontrol%being%predictive%of%higher%susceptibility%

!

34!

to%a%telemarketing%fraud%scenario.%It%was%suggested%this%might%be%because%users%with% lower%selfScontrol%are%less%likely%to%consider%the%negative%consequences%that%may% result%from%their%choice%to%respond%to%the%fraudulent%communication.%Cognitive% reflection%(Frederick,%2005)%was%also%assessed%here,%as%a%measure%of%a%participant’s% ability%to%rationally%reflect%upon%a%problem%rather%than%relying%on%an%intuitive% response.%Based%on%previous%research%and%the%nature%of%these%variables,%the% following%hypotheses%were%generated:% %

H1:%Participants%who%demonstrate%lower%levels%of%selfScontrol%are%more%likely%

%

to%report%having%previously%responded%to%a%fraudulent%communication.%

%

% H2:%Participants%who%demonstrate%lower%cognitive%reflection%are%more%likely% %

to%report%having%previously%responded%to%a%fraudulent%communication.% % The%main%part%of%this%first%study%though%was%a%focus%group%discussion%that%

followed%the%questionnaire.%As%outlined%by%Onwuegbuzie,%Dickinson,%Leech,%and% Zoran%(2009),%focus%groups%are%a%valuable%method%for%collecting%rich%data%about% users’%experiences%and%opinions.%The%group%scenario%provides%a%less%threatening% environment%for%participants%to%share%and%interact%with%one%another,%which%will% hopefully%encourage%discussion%of%personal%experiences%with%fraud.%In%addition,%the% focus%group%discussion%will%elicit%information%about%the%tactics%participants%use%to% protect%themselves,%including%the%cues%used%to%recognise%a%fraudulent% communication.%% %

Study%2%consisted%of%a%short%questionnaire%completed%by%attendees%at%a%

number%of%University%open%days,%following%a%research%talk%about%the%current%project.% The%open%days%provide%an%opportunity%for%prospective%students%and%their%parents%to%

!

35!

visit%the%campus%and%hear%about%the%psychology%department%at%Lancaster.%This%means% that%a%different%demographic%to%the%usual%undergraduate%student%sample%was% accessible,%as%the%parents%were%also%able%to%take%part.%Given%the%relatively%recent% growth%of%the%internet%as%a%platform%for%communication,%entertainment,%and% knowledge,%this%alternative%demographic%is%an%interesting%one%as%these%users%have% learnt%to%use%the%internet%as%adults,%whilst%the%students%themselves%are%likely%to%have% grown%up%with%the%internet%being%readily%available%to%them.%As%outlined%in%Chapter%1,% there%is%no%consistent%evidence%for%the%effect%of%age%on%susceptibility.%The%elements% of%this%study%that%look%at%how%people%experience%fraudulent%communications%in%terms% of%frequency%and%response%to%these%may%provide%insightful%evidence%though%when% compared%between%different%age%groups.%Similar%to%Study%1,%this%questionnaire%asked% participants%about%personal%experiences%of%fraudulent%communications%in%offline%and% online%environments,%as%well%as%the%cues%that%they%used%to%recognise%suspicious% emails%as%such.% Study%2a%focuses%on%online%fraud,%as%this%will%be%the%focus%of%the%remainder%of% the%thesis.%This%study%also%sampled%attendees%of%university%open%days,%who%were% asked%to%respond%to%a%number%of%short%questions%and%judge%the%legitimacy%of%a%set%of% email%screenshots%displayed%to%them.%These%email%stimuli%make%up%part%of%a%stimuli% set%to%be%used%in%the%email%legitimacy%task%employed%in%Studies%3S6.%The%data% collected%in%this%study%will%allow%measurement%of%the%typical%responses%and%accuracy% of%users%in%judging%these%stimuli,%before%developing%the%extended%version%of%the%task% for%further%studies.%Four%open%days%are%described%in%this%study,%with%different%email% stimuli%being%used%across%these%in%order%to%test%a%wider%range%of%stimuli%for%the% further%studies.%%

!

36!

%

Given%the%exploratory%nature%of%Studies%2%and%2a%no%specific%empirical%

hypotheses%were%generated.%However,%the%general%aim%of%the%studies%reported%in%this% chapter%is%to%establish%how%familiar%users%are%with%the%issues%and%risks%surrounding% fraudulent%communications,%and%whether%there%are%certain%common%misconceptions% that%could%potentially%make%users%more%vulnerable.%Further%to%this,%we%aim%to% establish%whether%there%are%any%links%between%users%internet%usage%habits,%and%their% understanding%or%awareness%of%email%fraud.%% ! 2.2!Study!one! 2.2.1!Method! 2.2.1.1!Participants.!A%sample%of%68%participants,%consisting%of%57%females% and%11%males,%were%all%first%year%Psychology%students%at%Lancaster%University.% Participants%were%aged%between%18%and%29%years,%with%a%mean%age%of%19.12%(SD%=% 1.58).% % 2.2.1.3!Materials.! !

Fraud*experience*questionnaire.!All%participants%were%asked%to%complete%a%

questionnaire%(shown%in%Appendix%A%[all%appendices%available%at%% https://dx.doi.org/10.17635/lancaster/researchdata/117])%that%incorporated%a%set%of%

bespoke%questions,%developed%to%understand%participant%experiences%and%awareness% of%fraud%in%both%online%(email)%and%offline%(faceStoSface,%telephone,%and%postal)% environments.%As%well%as%asking%for%some%basic%demographic%information,%the% questionnaire%includes%a%combination%of%both%multiple%choice%questions%about%the%

!

37!

type%of%fraud%experienced%and%internet%usage,%as%well%as%openSended%questions%about% cues%used%to%make%response%decisions.%% !

Self5control*scale.!Originally%reported%by%Tangney%et%al.%(2004),%the%brief%selfS

control%scale%consists%of%13%items,%some%of%which%include:%I*am*good*at*resisting* temptation;%I*say*inappropriate*things;%and%People*would*say*that*I*have*iron*selfC discipline%(scale%can%be%seen%in%Appendix%B).%A%selfScontrol%score%was%obtained%by% summing%the%response%values,%after%reverse%scoring%as%appropriate.%% !

Cognitive*Reflection*Test.!The%cognitive%reflection%test%(CRT;%Frederick,%

2005)%is%a%short%test%involving%three%problems,%each%of%which%has%an%intuitive% response,%which%is%incorrect.%The%test,%shown%in%Figure%2.1,%was%originally%developed% using%American%currency%in%question%1,%so%this%was%changed%to%pounds%sterling%for%the% purpose%of%this%experiment.%The%test%is%scored%based%on%the%number%of%correct% responses%that%a%participant%gives,%so%each%participant%will%receive%a%score%between%0% and%3.%% !

! 1) A*bat*and*a*ball*cost*£1.10*in*total.*The*bat*costs*£1.00*more*than*the* ! ball.*How*much*does*the*ball*cost?*Five%pence.* 2) If*it*takes*5*machines*5*minutes*to*make*5*widgets,*how*long*would*it* ! take*100*machines*to*make*100*widgets?*Five%minutes.* 3) In*a*lake,*there*is*a*patch*of*lily*pads.*Every*day,*the*patch*doubles*in* ! size.*If*it*takes*48*days*for*the*patch*to*cover*the*entire*lake,*how*long* ! would*it*take*for*the*patch*to*cover*half*of*the*lake?*47%days.* % Figure*2.1*The%Cognitive%Reflection%Test* ! Focus*group*discussion.!Participants%were%asked%to%contribute%to%a%group% discussion,%which%was%structured%by%the%researcher%around%a%list%of%core%questions.% These%were%formulated%to%instigate%conversation%within%the%group,%but%whilst%also% loosely%controlling%the%topics%of%conversation%which%were%covered.%An%initial%group% !

38!

discussion%with%7%participants%allowed%assessment%of%the%quality%of%question%content.% Following%this,%the%questions%were%adjusted%in%order%to%maximise%the%amount%of% relevant%information%elicited%from%the%groups.%The%data%from%this%initial%session%will% not%be%used%in%the%final%analysis.%The%questions%used%to%instigate%discussion%can%be% seen%in%Appendix%C.%Examples%include%‘What*cues*do*you*rely*on*to*recognise*a*scam* email?’%and%‘When*you*think*about*victims*of*fraud,*are*there*certain*types*of*people* who*you*imagine*as*the*victims?’.%A%total%of%eight%focus%group%discussions%were% conducted,%with%between%6%and%11%participants%in%each.%% % 2.2.1.4!Procedure.%This%study%took%place%in%a%large%computer%lab%within%the% Psychology%department,%so%that%participants%could%complete%the%online%questionnaire% and%then%the%focus%group%session%in%one%place.%Once%consent%was%gained,%participants% completed%the%questionnaire%part%of%the%study%on%an%Apple%iMac%via%Google%Docs,% with%each%participant%using%an%independent%computer.%! Once%participants%had%completed%the%questionnaire%they%were%then%asked%to% join%a%group%for%the%discussion.%The%discussion%was%led%by%the%researcher,%based%upon% the%list%of%questions%mentioned%above.%The%questions%were%adjusted%to%fit%around% what%was%being%said%by%that%particular%group%in%order%to%gain%as%much%insight%as% possible,%whilst%ensuring%that%all%of%the%key%areas%of%interest%were%addressed%during% the%discussion.%Participants%were%also%given%the%opportunity%to%ask%any%questions%at% the%end.%The%discussions%were%voiceSrecorded%for%subsequent%transcription%and% analysis.%Finally,%participants%were%debriefed%once%all%of%the%tasks%were%completed.% Following%the%study,%the%researcher%transcribed%each%audio%recording%and%the%original% audio%files%deleted%(transcripts%can%be%viewed%in%Appendix%D).%%

!

39!

2.2.1.5!Data!collation.!Questionnaire%data%was%collated,%with%closed%ended% questions%inputted%accordingly%and%openSended%questions%given%a%single%code%that% was%deemed%most%representative%for%the%response.%Consistency%in%responses%meant% that%a%set%of%codes%could%be%established%that%were%representative%of%all%participants.% In%order%to%analyse%the%effect%of%selfScontrol%and%cognitive%reflection%on%past% response%behaviour,%cases%where%the%participant%reported%never%having%received%a% fraudulent%communication%were%not%included,%as%the%focus%was%on%response% behaviour.%% A%dataSdriven%approach%was%taken%in%analysing%data%from%the%focus%group% discussions,%given%the%exploratory%nature%of%this%research.%Thematic%analysis%was% used%to%highlight%key%areas%of%interest%in%order%to%gain%insight%into%user%experiences%of% fraud.%Large%sections%of%each%discussion%were%coded%under%these%broader%themes%to% begin%with,%before%subthemes%were%generated%during%a%second%round%of%coding.% Analysis%was%partially%influenced%by%the%semiSstructured%nature%of%the%questions% developed%for%the%discussions,%so%the%main%themes%extracted%followed%a%similar% pattern%to%these.%Subthemes%were%established%within%each%of%the%main%themes,% based%on%coding%of%each%participant%response%during%the%sessions.%The%specific% themes%constructed%are%described%in%more%detail%below.%% % 2.2.2!Results! 2.2.2.1!Questionnaire!data.!Of%the%68%participants%who%took%part%in%the% experiment,%56%reported%having%received%a%fraudulent%communication%of%some%sort.% The%type%of%communications%participants%reported%having%received%are%shown%below% in%Figure%2.2.%

!

40!

Online% 57%

Offline% 2%

41%

% Figure*2.2%Percentage%of%participants%who%reported%received%online,%offline,%or%both% types%of%communication% ! Offline*fraud.!The%contexts%in%which%participants’%experiences%occurred%are% outlined%in%Table%2.1%below.%Of%those%who%had%experienced%some%form%of%offline% fraud,%29%%responded%to%the%communication.%The%low%response%rate%means%that% most%participants%gave%a%unique%response%when%asked%their%reason%for%responding,% with%one%participant%citing%each%of%the%following%reasons:%curiosity,%communication% seemed%relevant,%naivety,%sympathy%for%the%sender,%a%good%cause.%Two%participants% reported%threatening%behaviour%within%the%communication%as%their%reason%for% responding.%The%reasons%participants%gave%for%choosing%not%to%respond%to%a% fraudulent%communication%are%shown%in%Figure%2.3.% Table%2.1*Percentage*of*participants*who*reported*experiencing*offline*fraud*in*each* context* Received%this%type% of%communication% Yes% No% *

!

FaceStoSface%

Telephone%

Post%

46% 54%

71% 29%

29% 71%

41!

35%

Percentage!response!

30% 25% 20% Offline%

15%

Online%

10% 5% 0% Unprofessional% Awareness%

Irrelevant%

Too%good%to%be% Personal% true% informaxon%

Reason!for!not!responding!

Figure*2.3*Reasons%given%for%choosing%not%to%respond%to%fraudulent%communications% in%offline%and%online%environments* % Internet*use.!As%shown%below%in%Table%2.2,%most%participants%(54%)%reported% spending%between%3%and%6%hours%per%day%on%the%internet.%Participants%were%also% given%a%multipleSchoice%question%about%what%they%used%the%internet%for.%The%most% common%responses%were%social%networking%(88%)%and%university%work%(79%),%whilst% the%least%common%were%news%(11.8%)%and%shopping%(10.3%).%When%asked%how%long% they%had%actively%been%using%the%internet,%the%majority%of%participants%(62%)%reported% using%the%internet%for%over%6%years,%whilst%32%%had%been%using%it%for%3%to%6%years%and% only%6%%for%between%1%and%3%years.%No%participants%reported%using%the%internet%for% less%than%one%year%or%not%regularly%using%the%internet.%% Online*fraud.!The%contexts%in%which%online%fraudulent%experiences%reported% by%participants%occurred%are%outlined%in%Table%2.3%below.%Of%those%who%had% experienced%fraud%online,%only%4%%reported%responding%to%the%communication.% Accounting%for%those%who%have%never%received%a%fraudulent%online%communication,%

!

42!

Table%2.2*Number*of*hours*spent*online*each*day*by*participants% Time%spent%on%the%internet%per%day% 0S1%hours% 1S3%hours% 3S6%hours% 6+%hours% I%do%not%use%the%internet%on%a%daily%basis% *

%%participants% 0% 22% 54% 24% 0%

this%meant%that%only%2%participants%chose%to%respond,%and%the%reasons%given%for%this% were%financial%benefit%and%the%official%manner%of%the%communication.%The%reasons% that%participants%gave%for%choosing%not%to%respond%are%shown%above%in%Figure%2.2.%% Table%2.3*Percentage*of*participants*who*reported*experiencing*online*fraud*in*each* context** Received%% Computer% Computer% at%home% at%work% Yes% 96% 9% No% 4% 91% *

Tablet%at% home% 11% 89%

Tablet%at% work% 0% 100%

Mobile%at% home% 40% 60%

Mobile%at% work% 7% 93%

Cognitive*measures.!After%removing%those%cases%in%which%participants% reported%never%having%received%a%fraudulent%communication,%independent%samples%tS tests%were%conducted%to%establish%whether%there%was%a%difference%in%selfScontrol%and% cognitive%reflection%scores%between%those%who%had%and%had%not%responded%to% fraudulent%communications%in%offline%or%online%environments.%The%mean%scores%and% standard%deviations%for%each%response%in%each%environment%are%shown%in%Table%2.4.% No%significant%difference%in%selfScontrol%scores%between%those%who%responded%and% those%who%did%not%was%found%in%either%offline,%t*(22)%=%S0.07,%p*=%.94,%d%=%0.03,%or% online%environments,%t%(53)%=%S1.92,%p%=%.06,%d%=%1.24.%

!

43!

!

Further%to%this,!no%significant%difference%was%found%between%scores%on%the%

cognitive%reflection%test%and%response%to%fraudulent%communications%in%an%offline,%t% (22)%=%0.33,%p%=%.75,%d%=%0.14,%or%online%environment,%t*(53)%=%0.06,%p%=%.96,%d%=%0.03.%% Table%2.4*Means*and*standard*deviations*for*selfCcontrol*scale*and*cognitive* reflection*test*scores*by*response*to*fraudulent*communication* % %

Offline%

SelfScontrol% score% Response% Mean% SD% Yes% 35.14% 8.23% No% 35.41% 8.20% %

Cognitive% Reflection%score% Mean% SD% 1.14% 1.07% 1.00% 0.94%

Online% SelfScontrol% Cognitive% score% Reflection%score% Mean% SD% Mean% SD% 27.50% 9.20% 1.00% 1.41% 37.85% 7.45% 0.96% 0.92%

2.2.2.2!Focus!group!data.! Construction*of*themes.!Given%the%semiSstructured%nature%of%the%focus% group%schedule%that%was%developed%prior%to%the%commencement%of%the%group% discussions,%the%themes%constructed%from%the%resulting%data%follows%a%similar%pattern.% Across%the%eight%focus%group%discussion%conducted,%four%themes%were%extracted,%with% a%total%of%11%subthemes.%These%are%illustrated%in%Table%2.5%and%are%described%in%more% detail%below.% Knowledge*and*understanding*of*scams.!Participants%across%all%of%the% focus%group%sessions%demonstrated%an%awareness%of%the%most%common%types%of% scams%in%both%online%and%offline%settings.%Offline%examples%include%fake%phone% numbers%for%companies%that%are%listed%as%the%top%hit%on%a%Google%search%for%the% genuine%company%phone%number,%and%key%loggers%on%ATM%machines%that%collect% information%from%the%victim’s%credit%card%and%can%then%be%used%to%make%online% purchases.%Online%examples%include%emails%“pretending%to%be%your%bank,%saying%like,% you%need%to%put%your%bank%details%in%and%change%your%password”%(P24,%Session%6,%Line%% !

44!

Table%2.5*Framework*of*user*focus*group*themes* %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%Theme%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%Subtheme% 1.%Knowledge%and%understanding%of%scams% 1.1%Types%of%scam% 1.2%Knowledge%from%the%media% 1.3%Experience%of%family%and%friends% 2.%Perception%of%‘typical’%victims% 2.1%Age% 2.2%Experience% 3.%Personal%experience% 3.1%Differences%between%university% and%personal%email%accounts% 3.2%Emotional%reaction% 4.%Detecting%deceptive%emails% 4.1%Spam%filtering% 4.2%Authority%level%of%the%sender% 4.3%Familiarity%of%the%sender% 4.4%Relevance%of%communication% % 5),%romance%scams,%“a%lot%that%say%I’ve%won%the%lottery%in%like%a%different%country”%(P9.% Session%2,%Line%8),%and%emails%that%induce%a%sense%of%panic,%for%example%by% threatening%the%user%with%loss%of%access%to%their%online%account%for%a%given%company.% Further%to%this,%some%participants%demonstrated%an%understanding%of%the%concept%of% spear%phishing,%which%involves%collecting%personal%information%about%the%user%from% sources%such%as%social%media%accounts,%in%order%to%make%an%email%more%targeted%and% believable.%Participants%reported%that%they%may%be%more%likely%to%trust%such%an%email% if%it%contained%personal%information,%“because%if%they%can%tap%into%your%interests%and% your%hobbies%they%can%tap%into%that%to%send%you%emails%that%you%think%‘oh,%this%might% be%genuine,%I%might%be%interested%in%this’”%(P33,%Session%7,%Line%80).%% When%asked%to%consider%the%difference%between%how%they%would%react%to% online%versus%offline%fraudulent%communications,%participants%were%split%in%their%

!

45!

opinions.%Some%argued%that%they%would%be%better%at%detecting%the%fraudulent%nature% of%these%communications%in%an%online%scenario,%saying%that%there%are%more%cues% available%in%an%email%rather%than,%for%example,%over%the%phone,%“because%it’s%like%a% visual,%you’re%seeing%it%rather%than%just%hearing%it”%(P1,%Session%1,%Line%66).%In%addition,% these%participants%felt%that%they%had%a%better%understanding%and%awareness%of%online% scams.%On%the%other%hand,%some%participants%felt%that%offline%fraud%is%easier%to% recognise,%arguing%that%“over%the%phone,%I%don’t%know,%in%general%you%get%a%feeling%for% whether%they’re%actually%genuine%or%not”%(P36,%Session%8,%Line%50),%and%that%“you%can% hide%a%lot%over%the%internet”%(P36,%Session%8,%Line%49).% %

There%was%a%general%consensus%amongst%participants%that%the%media%provides%

useful%information%to%users%about%the%danger%of%scams.%Some%participants%highlighted% the%value%of%news%reports%about%recent%scams%and%advice%on%how%to%avoid%being% conned,%as%well%as%the%information%provided%in%television%programmes%such%as%“the% Real%Hustle,%that’s%quite%good”%(P17,%Session%4,%Line%21),%which%demonstrate%to%the% public%how%fraudsters%plan%and%execute%scams.%A%number%of%participants%did%however% report%that%their%best%source%of%knowledge%about%fraud%comes%“from%friends%and% family,%like,%people%that%have%been%affected%by%it”%(P21,%Session%5,%Line%45).%For% example,%some%participants%indicated%that%they%are%reliant%upon%their%parents%for% advice%and%warnings%about%fraud.%However,%it%seems%that%this%knowledge%sometimes% only%develops%following%a%personal%experience%of%the%scam%–%meaning%that%in%many% cases%it%comes%too%late%for%the%victim,%even%if%it%does%mean%that%they%are%able%to%pass% on%a%warning%to%those%around%them,%as%one%participant%points%out:% %

!

46!

*

Probably*need*to*be*kept*more*up*to*date*so*people*are*actually*aware*of*

*

new*scams*that*are*around*because*you*quite*often*don’t*know*about*them*

*

until*they’re*actually*out*there*and*you*may*have*fallen*for*it.*(P29,%Session%

%

7,%Line%131)%

* Perception*of*‘typical’*victims.!There%were%some%mixed%responses%amongst% participants%about%who%a%‘typical’%fraud%victim%might%be.%Most%respondents% commented%on%the%age%of%the%user,%with%many%feeling%that%older%users%would%be% most%likely%to%become%victims,%possibly%because%they%are%grateful%for%the%company% and%attention%that%communication%with%another%individual%–%in%both%online%and% offline%scenarios%S%can%provide:! % *

like*my*Nan*is*always*getting*those*kinds*of*phone*calls*and*she’s*90*so*

*

she’s*like*completely*oblivious*to*things*like*that*and*they’re*ringing*up*saying*

*

‘congratulations’*and*she*feels*‘aww,*thank*you’,*she’s*really*happy,*and*she*

*

doesn’t*understand*the*concept*at*all*that*this*person,*that*she*hasn’t*won*

*

anything*but*she*thinks*she*has.*(P11,%Session%3,%Line%146)% % However,%some%other%participants%reported%that%they%considered%younger%

internet%users%to%be%at%higher%risk.%In%both%cases,%participants%gave%similar%responses% when%considering%why%it%is%that%these%groups%may%be%more%likely%to%be%victims%–% which%was%due%to%them%being%“less%accustomed%to%using%the%internet”%(P6,%Session%2,% Line%106).%Participants%felt%that%those%who%have%not%been%using%the%internet%for%as% long%may%not%be%aware%of%the%numerous%scams%that%exist%and%how%to%identify%them.%%

!

47!

Personal*experience.!All%participants%reported%having%both%a%university%and% a%personal%email%account,%and%most%agreed%that%they%were%more%wary%of%the%emails% that%they%received%to%the%personal%account.%Many%said%that%they%use%their%personal% email%accounts%to%sign%up%for%newsletters%and%websites,%so%they%receive%a%lot%more% traffic%–%including%that%from%third%parties%to%whom%their%details%have%been%sold%–%in% that%account.%Given%the%smaller%level%of%traffic,%and%the%people%who%emails%are%from,% participants%seemed%to%be%more%trusting%of%emails%that%came%into%their%university% accounts%as%these%were%usually%all%relevant%to%the%recipient.%Participants%did%report% that%if%an%email%from%a%trusted%source%came%into%their%university%account%containing% information%that%is%“nothing%related%to%the%course%then%you’d%be%a%bit%more% suspicious”.%It%seems%a%common%assumption%amongst%our%participants%that%lecturers’% accounts%are%more%secure%and%can%be%trusted,%in%comparison%to%a%friend’s%Hotmail%or% Gmail%account,%which%is%deemed%much%more%likely%to%be%hacked:! % %

I*think*you*just*automatically*think,*‘oh*it’s*from*my*lecturer,*it’s*going*to*be*

*

fine’,*whereas**you*know*quite*a*few*friends*have*been*hacked*before*and*you*

*

get*quite*a*few*spam*ones,*you*just*don’t*think*it*would*happen*to*a*lecturer.*

*

(P28,%Session%7,%Line%49)%

% %

Some%participants%reported%feelings%that%they%would%be%embarrassed%if%they%

did%become%a%victim%of%fraud.%It%seemed%amongst%the%participants%that%there%was%a% kind%of%stigma%attached%to%fraud%victimisation,%with%one%participant%even%suggesting% that%“I%think%you’ve%got%to%be%a%bit%stupid%[to%fall%victim]”%(P11,%Session%3,%Line%135).%%

!

48!

Detecting*deceptive*emails.!When%asked%what%cues%normally%make%them% aware%of%the%fraudulent%nature%of%an%email,%participants%gave%a%number%of%responses% that%typify%the%‘stereotypical’%view%of%what%a%phishing%attack%would%look%like%–% elements%such%as%“overuse%of%exclamation%marks”%(P6,%Session%2,%Line%5),%spelling%and% punctuation%errors,%“a%logo%which%is%not%exactly%the%same%as%the%real%people,%but% quite%similar”%(P12,%Session%3,%Line%15),%and%an%impersonal%approach,%for%example%“in% bank%emails%they%refer%to%me%by%email%address%and%not%my%actual%name”%(P18,% Session%4,%Line%12).%Whilst%these%indicators%are%beneficial%in%spotting%the%more% obvious%phishing%emails,%the%development%of%sophisticated%approaches%to%phishing% mean%that%they%are%not%always%reliable%in%spotting%the%more%subtle%attacks.%! %

Overall,%it%seemed%that%most%participants%are%not%entirely%trusting%of%the%in%

built%spam%filters%that%email%providers%use,%with%many%emphasising%that%“there’s%lots% of%stuff%that%it%does%stop,%but%like%you%said,%there’s%stuff%that%goes%in%there%that% shouldn’t%and%obviously%there’s%stuff%that%goes%into%your%inbox%that%shouldn’t%be% there”%(P6,%Session%2,%Line%30).%This%means%that%users%are%required%to%check%their% spam%folder%on%a%regular%basis%to%ensure%that%no%genuine%emails%have%ended%up%in% there,%which%most%participants%reported%doing.%% %

A%lot%of%participants%reported%that%they%always%open%emails%that%come%from%

lecturers,%with%most%agreeing%that%they%considered%lecturers’%accounts%more% trustworthy%and%presumed%“that%they%wouldn’t%have%viruses%because%they’re% probably%not%like%being%fooled%on%the%internet,%not%like%your%friends”%(P11,%Session%3,% Line%105).%When%asked%why%they%thought%they%were%more%trusting%of%emails%from% lecturers,%participants%suggested%that%this%was%likely%to%be%due%to%the%familiarity%of% the%scenario%as%well%as%the%authority%level%of%the%sender:%

!

49!

%

P11:%I*don’t*know,*if*I*got*an*email*off*the*Police*and*you*opened*it*then*I’d*

*

still*be*suspicious…I*don’t*think*it’s*to*do*with*that.* % P12:%It*depends*how*realistic*it*is,*because*realistically*we*are*quite*likely*to*

*

get*an*email*from*a*lecturer*saying*‘oh,*could*you*open*this*and*fill*it*in*before*

*

you*come’*or*something*like*that,*it*‘we’re*conducting*this*kind*of*survey’*

*

because*they*do*it*all*the*time,*but*the*Police,*like*with*your*example,*I*would*

*

be*wary*because*the*Police*don’t*just*go*around*emailing*you.%(Session%3,%Line

%

%112)%

% Therefore,%it%seems%there%is%an%interaction%between%the%authority%level%and%the% familiarity%of%the%sender%to%the%user%in%the%believability%of%a%fraudulent%email.%Whilst% some%participants%commented%that%they%would%“probably%click%on%it%if%it%was%my% friend”%(P21,%Session%5,%Line%75),%compared%to%something%coming%from%an%unknown% company,%many%participants%commented%in%reference%to%emails%from%friends,%“it’s% different,%like,%a%lot%of%my%friends,%the%link%is%via%Facebook,%I%wouldn’t%normally%get% emails%from%them%so%I’d%find%that%a%bit%strange”%(P5,%Session%2,%Line%65).%Therefore,%it% seemed%that%they%would%be%more%likely%to%immediately%question%the%veracity%of%an% email%from%a%peer.%Most%participants%agreed%that%in%this%situation%they%would%contact% the%friend%who%the%email%came%from%“because%then%you’d%have%to%let%them%know%that% their%account%has%been%hacked”%(P5,%Session%2,%Line%75).%Others%highlighted%a%feature% within%Hotmail,%which%is%likely%available%from%other%email%providers%as%well,%whereby% there%is%an%option%to%click%‘My%friend%has%been%hacked’.%This%allows%the%email%provider% to%address%the%issue,%as%well%as%contact%the%account%holder%and%provide%them%with% relevant%advice.%%

!

50!

%

Finally,%it%was%clear%from%all%participants%that%the%relevance%of%any%given%

communication%is%a%key%factor%in%their%likelihood%to%pay%attention%or%respond%to%it.% Participants%reported%that%they%would%feel%more%suspicious%“if%it’s%an%email%[address]% you%just%don’t%recognise,%that%you%haven’t%been%involved%with%before”%(P37,%Session% 8,%Line%12).%It%seems%that%the%success%of%a%given%phishing%attack%is%partly%dependent,% on%a%userSbySuser%basis,%upon%the%relevance%of%the%communication%to%the%given% recipient.%% % 2.2.3!Discussion! This%study%aimed%to%gain%an%insight%into%the%personal%experiences%of%users% with%regard%to%online%and%offline%fraud.%With%two%sections%–%a%short%questionnaire,% and%a%followSup%focus%group%discussion%S%exploratory%information%was%elicited%about% users’%familiarity%with%fraudulent%communications,%and%their%approaches%to%dealing% with%these.%% %

Considering%how%commonplace%phishing%emails%are%these%days,%accounting%

for%one%in%every%392%email%sent%in%2013%(Symantec,%2014),%it%was%surprising%to%find% that%18%per%cent%of%the%sample%claimed%to%have%never%received%a%fraudulent% communication,%either%online%or%offline.%However,%this%may%be%due%to%the%limited% demographic%of%the%sample,%with%a%narrow%age%range,%and%a%low%mean%age.%These% participants%may%only%have%had%email%accounts%for%a%short%period%of%time%and%be%less% likely%to%receive%much%mail%through%the%post%or%through%other%mediums%of%offline% fraud.%Alternatively,%it%may%be%that%these%participants%have%received%such%a% communication,%but%were%unaware%of%its%fraudulent%nature.%Of%those%participants% who%did%report%having%received%a%fraudulent%communication,%it%was%apparent%that%

!

51!

this%was%more%common%in%online%scenarios%that%offline.%Due%to%the%ease%for% fraudsters%to%distribute%their%scams%online,%as%well%as%being%more%economically%viable% in%the%costs%to%send%out%the%scam%related%to%the%returns%obtained,%internet%based% scams%such%as%phishing%emails%are%becoming%more%commonplace%than%alternative% methods,%such%as%telephone%and%postal%fraud.%% %

When%asked%about%the%cues%used%to%recognise%a%fraudulent%communication%as%

such,%participants%gave%many%of%the%same%responses%when%referring%to%offline%and% online%scams.%Across%both%environments,%the%unprofessional%appearance,%and% irrelevance%of%communications%were%in%the%top%three%reasons%for%participants% choosing%not%to%respond.%For%offline%fraud,%‘too%good%to%be%true’%scenarios%were%also% frequently%given%as%a%reason%to%not%respond,%whilst%for%online%fraud,%awareness%of%the% scam%or%scams%in%general%was%given%as%the%top%reason%for%recognising%the%fraudulent% nature%of%the%communication.%Given%the%higher%prevalence%of%email%fraud,%it%might%be% that%participants%are%more%aware%of%particular%online%than%offline%scams%due%to% increased%media%coverage,%or%discussion%amongst%peers.%% %

Hypotheses%1%and%2%predicted%that%lower%levels%of%selfScontrol%and%cognitive%

reflection,%respectively,%would%be%related%to%an%increased%likelihood%to%have% responded%to%a%fraudulent%communication%in%the%past.%However,%neither%of%these% variables%was%found%to%be%associated%with%likelihood%to%respond.%This%may%be%due%to% the%small%response%rate%within%the%sample%though.%In%a%young%demographic,%past% response%may%underestimate%susceptibility,%as%it%may%be%that%users%just%have%not% received%as%much%email%traffic,%and%so%have%not%yet%received%a%convincing%enough% phishing%email.%With%an%alternative%measure%of%potential%susceptibility,%a%difference% in%performance%may%become%apparent.%%%

!

52!

%

During%the%focus%group%discussions,%participants%demonstrated%a%knowledge%

of%various%types%of%scams,%in%both%online%and%offline%environments.%Despite%this,% some%admitted%that%they%would%find%a%spear%phishing%attacks,%incorporating%personal% information%about%them,%to%be%more%believable.%This%suggests%that%awareness%of% scams%does%not%necessarily%mean%immunity%to%them,%which%may%be%important%in%the% attempts%made%to%educate%users%and%reduce%their%susceptibility.%Further%to%this,%most% users%commented%that%they%would%trust%anything%that%came%from%a%lecturer’s%email% account%because%they%would%be%more%trusting%of%it,%and%felt%that%those%in%more%senior% positions%would%not%be%hacked.%This%reinforces%findings%from%Guéguen%and%Jacob% (2002),%which%highlight%the%influence%of%authority%on%response%likelihood%to%a% phishing%email.%It%seems%that%although%participants%are%aware%of%online%fraud%and% how%prevalent%it%is,%they%do%not%realise%that%anyone%could%be%susceptible%to%hacking,% regardless%of%their%position%or%level%of%authority.%% This%was%emphasised%when%participants%were%asked%who%they%perceived%to%be% more%vulnerable%to%fraudulent%communications.%There%seemed%to%be%two%extremes% in%participants%responses:%either%older%users%who%have%had%less%experience%in%using% computers%and%are%less%familiar%with%technology;%or%younger%users%who%have%not%had% online%accounts%for%as%long%and%so%would%not%get%the%same%volume%of%traffic%into%their% accounts.%Whilst%there%is%empirical%evidence%to%support%both%of%these%opinions%(as% discussed%in%Chapter%1),%the%contradictory%nature%of%past%research%findings%suggest% that%there%is%no%specific%demographic%profile%of%who%is%most%susceptible%to%fraud,%and% this%is%an%important%point%in%itself%for%users%to%understand%–%that%anyone%can%become% a%victim%in%a%certain%situation%or%frame%of%mind.%%

!

53!

When%asked%about%the%cues%that%they%would%use%to%recognise%fraudulent% communications,%participants%listed%numerous%stereotypical%cues,%such%as%poor% spelling%and%grammar,%which%are%often%outSdated%when%it%comes%to%the%more% sophisticated%phishing%emails%that%are%becoming%more%commonplace%and%pose%a% higher%risk%to%the%user.%Whilst%users%felt%that%most%media%coverage%of%scams%was% relatively%useful,%it%is%apparent%that%what%is%being%learnt%from%this%is%a%very%basic% understanding%of%the%threat%of%fraudulent%communications,%which%does%not%advance% at%the%same%rate%as%the%sophistication%of%the%scams.%Certain%approaches%can%be% valuable%though,%for%example%television%shows%like%the%Real%Hustle,%which%educate% users%on%the%methods%used%by%the%fraudsters%so%that%users%can%understand%how%the% scams%are%developed%rather%than%simply%how%a%message%might%look.%It%seems% however,%that%the%most%effective%method%of%education%currently%comes%from% personal%experience,%when%it%is%too%late%and%the%user%has%already%become%a%victim.% This%emphasises%the%need%to%understand%users’%susceptibility%and%attempt%to%develop% ways%to%educate%users%that%remain%effective%in%the%long%term,%even%with%the% advancement%of%the%techniques%used%within%the%scams%making%them%more% believable.%%% The%use%of%focus%groups%in%this%study%encouraged%discussion%between% participants,%eliciting%a%valuable%data%set%that%provides%insight%into%the%extent%to% which%our%sample%has%experienced%fraud,%and%their%perceptions%of%this.%However,%as% discussed%in%previous%literature%(Smithson,%2000;%Leung%&%Savithiri,%2009),%one% limitation%to%this%methodology%should%be%noted.%In%each%of%the%group%discussions,% some%members%of%the%group%were%more%dominant%in%responding%to%questions%and% discussing%experiences.%The%group%setting%means%that%more%introverted%participants%

!

54!

or%those%with%little%experience%of%fraud%are%able%to%avoid%speaking%aloud%in%front%of%a% group.%However,%this%does%mean%that%the%data%collected%is%limited%to%a%smaller% number%of%more%outspoken%group%members%and%may%have%masked%information% withheld%by%those%more%introverted%participants.%There%were%multiple%participants% engaging%in%conversation%in%each%focus%group%though,%even%if%this%did%not%involve%all% participants,%providing%a%sufficient%sample%of%data%for%this%initial%exploratory%study.%% %

From%this%study,%in%particular%the%focus%group%discussions,%it%is%clear%that%

participants%demonstrate%a%basic,%but%not%a%comprehensive%understanding%of% fraudulent%communications.%Although%they%are%able%to%identify%a%number%of%types%of% scams,%there%is%little%appreciation%for%the%fact%that%anyone,%of%any%age%or%professional% status,%might%become%a%victim%to%fraud,%or%account%hacking.%It%might%be%that%longS term%educational%approaches%need%to%address%the%theoretical%logic%behind%how% scams%are%developed%and%executed%in%order%for%users%to%be%able%to%recognise%novel,% more%sophisticated%scams%as%they%emerge.%However,%the%data%collected%in%this%study% was%reliant%on%participants%recalling%from%memory%the%cues%that%they%utilise%when% judge%the%legitimacy%of%communications.%Therefore,%a%real%time%assessment%of%cues% utilised%by%participants%in%decisionSmaking%surrounding%such%communications%may%be% beneficial.% % 2.3!Study!two! 2.3.1!Method! 2.3.1.1!Participants.!A%total%of%108%participants%were%recruited%at%a% departmental%UCAS%open%day%at%Lancaster%University%for%the%Psychology%department.% The%sample%consisted%of%36%males%and%72%females,%aged%between%17%and%69%years%as%

!

55!

both%applicants%and%their%families%were%present%at%the%open%day.%The%mean%age%was% 32.28%years%(SD%=%16.15).%% % 2.3.1.3!Materials.!A%questionnaire%was%developed%for%the%purpose%of%this% experiment%(this%can%be%seen%in%Appendix%E).%This%consisted%of%demographic% questions,%as%well%as%questions%about%the%contexts%in%which%participants%had%received% fraudulent%communications,%and%their%reasons%for%responding%or%not%responding.% These%questions%were%designed%to%elicit%information%about%the%frequency%of%scam% occurrence,%as%well%as%an%overview%of%the%cues%used%in%detecting%fraud.%The%nature%of% the%questions%included%meant%that%some%were%multipleSchoice,%allowing%simple% quantitative%analysis,%whilst%openSended%questions%about%reasons%for%responding%or% not%responding%to%a%phishing%email%required%coding%for%the%purpose%of%content% analysis.%% % 2.3.1.4!Procedure.!At%the%UCAS%open%day,%Dr.%John%Towse%gave%a%talk%to%all% prospective%students%and%their%parents,%about%the%work%being%carried%out%on%this% project.%This%highlighted%the%relevance%of%psychological%processes%underlying%fraud% victimisation%and%why%this%is%an%important%area%to%study.%At%the%end%of%the%talk,%a% consent%slide%was%displayed%as%part%of%the%PowerPoint%display%from%the%talk%and%this% was%discussed%with%the%participants%to%ensure%that%they%understood%that%participation% was%completely%voluntary%and%they%had%the%right%to%withdraw%their%data%should%they% wish%to%do%so.%Whilst%this%talk%was%being%given,%a%copy%of%the%information%sheet%and% the%short%questionnaire%were%given%to%each%member%of%the%audience.%Participants%

!

56!

were%then%walked%through%the%questions%in%front%of%them%whilst%they%filled%in%the% questionnaire.%% %

2.3.1.5!Data!collation.!Responses%to%closedSended%questions%from%this% study%were%inputted%accordingly,%whilst%responses%to%openSended%questions%were% allocated%a%single%code,%deemed%to%be%the%most%representative%for%the%response.% Frequency%data%about%each%of%the%coded%responses%was%then%calculated%in%order%to% demonstrate%the%cues%that%users%are%most%reliant%on%in%email%management.%% In%order%to%assess%the%distinction%between%the%two%age%groups%within%the% sample%(ie.%students%and%parents),%participants%were%categorised%as%being%either%in% the%‘younger’%or%the%‘older’%age%group.%Based%on%the%distribution%of%participant%ages% within%the%sample,%a%threshold%of%30%years%was%used%to%distinguish%between%members% of%the%sample.%This%resulted%in%59%participants%categorised%in%the%‘younger’%age%group,% with%an%age%range%between%17%and%28%years,%and%49%participants%in%the%‘older’%age% group,%with%an%age%range%from%39%to%69%years.%% %

2.3.2!Results! 2.3.2.1!Descriptive!statistics.!When%asked%whether%they%had%personally% received%a%fraudulent%communication,%100%per%cent%of%participants%reported%that% they%had.%Of%these%participants,%88.9%per%cent%reported%that%they%had%received%either% an%online%communication,%or%both%online%and%offline%communications,%whilst%only% 11.1%per%cent%reported%having%received%just%offline%fraudulent%communications.% Participants%were%then%asked%whether%they%had%responded%to%such%a%communication,% and%8.3%per%cent%reported%that%they%had.%%

!

57!

2.3.2.2!Demographic!data.!There%were%two%distinct%age%groups%in%this% sample,%given%the%nature%of%the%open%day%where%data%was%collected.%A%chiSsquare% analysis%to%compare%selfSreporting%of%past%response%to%fraud%found%no%difference% between%the%two%age%categories,%χ²%(1,%N*=%108)%=%1.80,%p%=%.18,%V%=%.13.%A%further%chiS square%analysis%was%run%to%establish%whether%gender%was%influential%on%past% response,%but%no%significant%difference%was%found,%χ²%(1,%N%=%108)%=%0.55,%p*=%.46,%V%=% .07.%% !

2.3.2.3!Context!information.!Table%2.6%below%shows%the%descriptive% statistics%obtained%when%participants%were%asked%about%the%contexts%in%which%they% have%received%both%online%and%offline%communications.%These%demonstrate%that% participants%report%receiving%more%fraudulent%communications,%both%online%and% offline,%in%the%home%environment%than%in%a%work%environment.%It%is%also%apparent%that% online%communications%are%most%commonly%received%via%computer,%whilst%offline% communications%mostly%by%phone.% %

2.3.2.4!Reasons!for!response!decision.!Those%participants%who%reported% having%not%responded%to%a%fraudulent%communication%were%asked%how%they% identified%the%malicious%nature%of%these.%Their%responses%were%coded,%and% percentage%responses%are%shown%below%in%Table%2.7.%The%sample%of%participants%who% reported%that%they%had%previously%responded%to%a%fraudulent%communication%was% small%(N%=%9),%so%most%reasons%given%were%only%given%by%one%participant.%These% included:%financial%need,%negative%consequences%of%not%responding,%and%being% unfamiliar%with%issues%surrounding%fraud.%There%were%also%five%participants%who%did% not%give%a%reason%for%their%choice%to%respond.% !

58!

Table%2.6*Percentage*of*participants*who*reported*having*received*fraudulent* communications*through*each*medium*in*online*and*offline*environments* Context% Online% Computer%at%home% Computer%at%work% Tablet%at%home% Tablet%at%work% Smartphone%at%home% Smartphone%at%work% Offline% Phone%at%home% Phone%at%work% Post%at%home% Post%at%work% FaceStoSface%at%home% FaceStoSface%at%work% %%

Percentage%% % 84.3% 16.7% 3.7% 0% 21.3% 1.9% % 30.6% 5.6% 12% 2.8% 2.8% 1.9%

Table%2.7*Frequency*of*reasons*given*for*not*responding*to*a*fraudulent* communication* Reason%for%response%decision% Awareness%of%scams% Irrelevant%communication% Appearance/wording%of%email% ‘Too%good%to%be%true’% Asking%for%too%much%information%

Percentage% 55.6% 17.2% 10.1% 8.1% 3.0%

Unclassifiable%% !

6.1%

2.3.3!Discussion! %

During%this%experiment,%basic%information%was%collected%about%the%situations%

in%which%users%receive%fraudulent%communications,%and%the%cues%that%they%use%to% detect%these%as%such%and%prevent%victimisation.%All%participants%in%this%study%reported% that%they%had%received%a%fraudulent%communication,%with%a%vast%majority%having%had% such%a%communication%online%at%some%point.%The%selfSreported%response%rate%from%

!

59!

participants%was%slightly%higher%than%expected%at%8.3%per%cent,%where%the%reported% average%rate%is%around%5%per%cent%(Norton,%2014).%Fraud%victimisation,%especially% online%fraud,%is%known%to%go%heavily%underreported%though%(Copes,%Kerley,%Mason,%&% Van%Wyk,%2001),%and%so%it%might%be%that%when%asked%directly%and%anonymously,% participants%were%more%likely%to%acknowledge%their%victimisation.%% %

There%were%two%distinct%age%groups%involved%in%this%study,%given%the%nature%of%

the%event%where%data%was%collected%Swith%students%attending%the%open%day%with%their% parents.%Previous%research%has%provided%contradictory%evidence%about%the%age%group% that%might%be%most%at%risk,%as%discussed%earlier%in%Chapter%1,%with%some%indicating% that%older%users%are%more%at%risk%(Pak%&%Shadel,%2011;%Shadel%&%Pak,%2007)%whilst% others%suggest%that%younger%users%are%more%susceptible%(Sheng,%Holbrook,% Kumaraguru,%Cranor,%&%Downs,%2010;%Pratt,%Holtfreter,%&%Reisig,%2010).%In%line%with% this,%no%difference%was%found%between%these%two%age%groups%in%their%likelihood%to% have%responded%to%a%fraudulent%communication.%As%with%Study%1%though,%the%small% response%rate%found%within%our%participants%means%that%the%comparison%between% those%who%did%and%did%not%respond%is%not%necessarily%representative%given%the%vastly% different%group%sizes.%%% %

In%all%scenarios,%across%both%online%and%offline%environments,%participants%

reported%receiving%more%fraudulent%communications%whilst%at%home%than%whilst%at% work.%This%may%simply%be%because%participants%receive%a%higher%volume%of%emails%to% personal%accounts%and%addresses%than%at%work,%or%because%security%software%is%more% effective%in%an%organisational%setting.%In%this%short%questionnaire,%participants%who% had%responded%to%fraudulent%communications%were%not%asked%about%the%scenario%in% which%this%occurred,%so%it%cannot%be%reported%whether%a%higher%volume%of%traffic%to%

!

60!

certain%mediums%makes%users%more%susceptible.%Although%Vishwanath%et%al.%(2011)% provide%evidence%that%increased%email%load%makes%users%more%susceptible%to%phishing% emails,%there%is%not%enough%evidence%from%this%questionnaire%to%support%or%refute% this.%Situational%factors%should%also%be%considered%–%for%example,%at%work%a%user% might%be%under%increased%pressure,%and%thus%be%more%prone%to%errors%in%decisionS making,%whilst%at%home%they%may%have%more%time%to%contemplate%emails.%Such% influences%will%be%considered%in%more%detail%later%in%the%thesis.% %

As%shown%in%Study%1,%awareness%of%scams%was%the%most%frequently%reported%

cue%to%recognising%scams%as%such.%Whilst%this%is%a%positive%finding,%in%that%it%suggests% that%users%are%able%to%recognise%some%scams,%it%does%mean%that%their%reliance%in% recognising%a%scam%based%on%familiarity%might%leave%them%more%susceptible%when% faced%with%a%novel,%more%sophisticated%scam.%The%second%most%frequent%response% was%that%the%communication%received%was%irrelevant%to%them,%which%again%is%a%useful% cue%for%more%generic%phishing.%However,%more%sophisticated%spear%phishing%attempts% often%use%personal%information%to%make%the%communication%more%relevant%to%the% user.%Therefore,%users%seem%well%prepared%to%protect%themselves%against%basic% phishing%attacks.%However,%users%are%often%unable%to%apply%knowledge%to%unfamiliar% risks%(Downs%et%al.,%2006),%which%raises%concern%for%ability%to%protect%against%novel% attack%strategies.%% ! 2.4!Study!2a! 2.4.1!Method! 2.4.1.1!Participants.!A%total%of%371%participants%completed%the%study,%across% four%different%UCAS%open%days%at%Lancaster%University.%Participants%were%visiting%the%

!

61!

university%either%as%prospective%students,%or%as%the%parents/guardians%of%these% prospective%students.%Information%about%participants’%gender%was%only%recorded%for% open%days%1,%2,%and%3%(with%12%participants%who%did%not%report%gender%across%open% days%2%and%3),%but%the%age%of%participants%across%all%open%days%ranged%from%16%to%72% years%(M%=%32.24,%SD%=%16.41).%Participant%information%for%each%of%the%open%days% individually,%including%participant%gender%for%those%where%this%was%recorded,%is% shown%in%Table%2.8.% Table%2.8*Descriptive*statistics*for*each*open*day* % Open%day% 1% 2%and%3% 4% !

% N% 145% 145% 81%

Mean% 31.73% 32.56% 32.60%

Age% SD% 16.65% 16.15% 16.58%

Age%group% Student% Parent% 79% 63% 71% 65% 43% 38%

Gender% Male%% Female% 34% 101% 41% 92% S% S%

2.4.1.3!Materials.!A%similar%set%of%questions%to%the%two%previous%studies% were%developed%for%the%purpose%of%this%study%to%gain%insight%into%participants’% perception%of%email%fraud%and%previous%history%of%responding%to%phishing.%In%addition,% this%study%incorporated%a%small%set%of%email%stimuli%that%participants%were%asked%to% judge%on%legitimacy,%in%order%to%assess%their%ability%to%recognise%phishing%emails.%At% each%open%day,%four%emails%were%displayed,%each%of%which%was%obtained%from%either% the%researcher’s%own%inbox,%from%friends%and%colleagues,%or%from%online%articles% relating%to%phishing.%The%emails%varied%across%the%open%days,%but%were%all%stimuli%that% will%also%be%used%in%later%studies%in%this%thesis.%Therefore,%data%permit%an%analysis%of% the%difficulty%of%the%legitimacy%judgment%task.%Questions%were%answered%in%paper% form%at%the%first%of%the%open%days,%but%personal%response%units%were%used%for%the%

!

62!

remainder.%These%devices%allow%participants%to%respond%to%questions%displayed%on%a% screen%at%the%front%of%the%lecture%theatre.% ! 2.4.1.4!Procedure.!At%each%of%the%UCAS%open%days,%a%talk%was%given%to% prospective%students%and%their%parents%about%the%current%research%project%looking%at% individual%differences%in%susceptibility%to%fraudulent%emails.%At%the%first%open%day,% participants%completed%a%pen%and%paper%version%of%the%questionnaire%(see%Appendix% F),%handed%out%during%the%talk.%At%the%remainder%of%the%open%days,%each%attendant% was%handed%a%Promethean%ActivExpression%response%unit%on%entering%the%lecture% theatre,%which%would%allow%him%or%her%to%respond%to%the%questions%following%the%talk% (shown%in%Appendix%G),%via%an%ActivHub%device%plugged%into%the%computer.%This% allows%for%responses%to%be%collected%wirelessly.%At%the%end%of%the%talk,%a%consent%slide% was%displayed%on%the%screen%at%the%front%of%the%lecture%theatre,%which%outlined%the% voluntary%nature%of%participation%in%the%questionnaire%and%the%participant’s%right%to% withdraw%their%data.%The%questions%and%email%stimuli%were%then%displayed%one%at%a% time%on%the%screen,%through%the%Flipchart%software%that%is%designed%to%work%with%the% response%units.%Each%question%had%a%30%second%time%limit,%after%which%the%next% question%would%be%displayed.%Responses%were%recorded%with%an%anonymous% response%unit%number%associated%with%each,%and%were%then%downloaded%and%saved% to%an%encrypted%hard%drive%following%the%talk.%! % !

2.4.1.5!Data!collation.!Data%for%questions%that%were%displayed%at%all%of%the%

open%days%were%collated%for%analysis.%However,%the%emails%presented%at%the%open% days%were%different%each%time,%so%it%may%be%that%the%type%of%emails%presented%are%

!

63!

also%having%an%effect%on%performance%in%this%task.%As%a%result%it%was%decided%that%the% variables%affecting%accuracy%in%judging%emails%would%be%analysed%separately%for%each% open%day.%% As%in%Study%2,%participant%age%was%categorised%into%a%‘younger’%and%‘older’%age% group%to%distinguish%between%student%and%parent%sample%groups.%Using%the%threshold% of%30%years%again,%the%sample%consisted%of%193%participants%in%the%‘younger’%age% category,%with%an%age%range%of%16%to%25%years,%and%166%participants%in%the%‘older’%age% category,%with%a%range%from%34%to%72%years.%% % 2.4.2!Results! 2.4.2.1!Collective!analysis.!The%collective%analysis%demonstrated%an%overall% rate%of%5.9%per%cent%for%participants%who%reported%that%they%had%previously% responded%to%a%phishing%email%(although%there%were%75%participants%who%did%not% respond%to%this%question).%Of%these%participants,%a%higher%percentage%(78%)%were% older%participants%than%younger%participants%(22%),%χ²%(1,%N%=%296)%=%5.63,%p*363.(

Daneman,(M.,(and(Carpenter,(P.(A.((1980).(Individual(differences(in(working(memory( (

!

and(reading.(Journal*of*Verbal*Learning*and*Verbal*Behavior,*19*(4),(450>466.(

263!

! Daneman,(M.,(and(Newson,(M.((1992).(Assessing(the(importance(of(subvocalization( (

during(normal(silent(reading.(Reading*and*Writing,*4((1),(55>77.(

de(Groot,(A.(D.((1946).(Het*Denken*van*den*Schaker((Thought(in(Chess).(Doctoral( (

thesis.(University(of(Amsterdam,(Amsterdam((in(Dutch).((

Dong,(X.,(Clarke,(J.(A.,(and(Jacob,(J.((2008).(Modelling(user>phishing(interaction.(( (

In(Proceedings*of*Human*System*Interaction,(627>632.(IEEE.(

Downs,(J.(S.,(Holbrook,(M.,(and(Cranor,(L.(F.((2006).(Decision(strategies(and( (

susceptibility(to(phishing.(In(Proceedings*of*the*Second*Symposium*on*Usable*

*

Privacy*and*Security((pp.(79>90).(ACM.((

Downs,(J.(S.,(Holbrook,(M.,(and(Cranor,(L.(F.((2007).(Behavioural(response(to(phishing( (

risk.(In(Proceedings*of*the*Anti;Phishing*Working*Groups*Second*Annual

*

eCrime*Researchers*Summit,(37>44.(ACM.(

Duncker,(K.((1945).(On*Problem*Solving.(Washington:(The(American(Psychological( (

Society.((

Engle,(R.(W.((1996).(Working(memory(and(retrieval:(An(inhibition>resource(approach.( (

In(J.(T.(E.(Richardson,(R.(W.(Engle,(L.(Hasher,(R.(H.(Logie,(E.(R.(Stoltzfus,(and(R.(

(

T.(Zacks((Eds.),(Working*Memory*and*Human*Cognition((pp.(89>119).(London:(

(

Oxford(University(Press.(

Ericsson,(K.(A.,(and(Simon,(H.(A.((1993).(Protocol*Analysis:*Verbal*Reports*as*Data( (

(revised(edition).(Cambridge,(MA:(MIT(Press.(

Ericsson,(K.(A.,(and(Simon,(H.(A.((1998).(How(to(study(thinking(in(everyday(life:( (

Contrasting(think>aloud(protocols(with(descriptions(and(explanations(of(

(

thinking.(Mind,*Culture,*and*Activity,*5((3),(178>186.(

Erickson,(T.(D.,(and(Mattson,(M.(E.((1981).(From(words(to(meaning:(A(semantic( (

illusion.(Journal*of*Verbal*Learning*and*Verbal*Behaviour,*20((5),(540>551.(

Eriksen,(B.(A.,(and(Eriksen,(C.(W.((1974).(Effects(of(noise(letters(upon(the( (

identification(of(a(target(letter(in(a(nonsearch(task.(Perception*&*

*

psychophysics,(16(1),(143>149.(

!

264!

! Evans,(J.(B.(T.((2003).(In(two(minds:(Dual>process(accounts(of(reasoning.(Trends*in* *

Cognitive*Science,*7,(454>459.(

Fan,(J.,(McCandliss,(B.(D.,(Sommer,(T.,(Raz,(A.,(and(Posner,(M.(I.((2002).(Testing(the( (

efficiency(and(independence(of(attentional(networks.(Journal*of*Cognitive*

*

Neuroscience,*14,(340>347.(

Fette,(I.,(Sadeh,(N.,(and(Tomasic,(A.((2007).(Learning(to(detect(phishing(emails.(In( (

Proceedings*of*the*16th*International*World*Wide*Web*Conference,(649>656.(

(

ACM.(

Finn,(P.,(and(Jakobsson,(M.((2007).(Designing(ethical(phishing(experiments.( (

Technology*and*Society*Magazine,*IEEE,*26(1),(46>58.(

Frederick,(S.((2005).(Cognitive(reflection(and(decision(making.(The*Journal*of* *

Economic*Perspectives,*19*(4),(25>42.(

Friedman,(B.,(Hurley,(D.,(Howe,(D.(C.,(Felten,(E.,(and(Nissenbaum,(H.((2002).(Users’( (

conceptions(of(web(security:(A(comparative(study.(In(CHI’02*Extended*

*

Abstracts*on*Human*Factors*in*Computing*Systems((pp.(746>747).(ACM.(

Garera,(S.,(Provos,(N.,(Chew,(M.,(and(Rubin,(A.(D.((2007).(A(framework(for(detection( (

and(measurement(of(phishing(attacks.(In(Proceedings*of*the*2007*ACM*

*

Workshop*on*Recurring*Malcode,(1>8.(ACM.(

Germine,(L.,(Nakayama,(K.,(Duchaine,(B.(C.,(Chabris,(C.(F.,(Chatterjee,(G.,(and(Wilmer,( (

J.(B.((2012).(Is(the(Web(as(good(as(the(lab?(Comparable(performance(from(

(

Web(and(lab(in(cognitive/perceptual(experiments.(Psychonomic*Bulletin*and*

*

Review,*19((5),(847>857.(

Gilovich,(T.,(Griffin,(D.,(and(Kahneman,(D.((2002).(Heuristics*and*Biases:*The** *

*

Psychology*of*Intuitive*Judgment.(Cambridge:(Cambridge(University(Press.(

Goldberg,(L.(R.((1999).(A(broad>bandwidth,(public(domain,(personality(inventory( (

measuring(the(lower>level(facets(of(several(five>factor(models.(In(I.(

(

Mervielde,(I.(Deary,(F.(De(Fruyt,(&(F.(Ostendorf((Eds.),(Personality*Psychology*

*

in*Europe,*7,(7>28.(Tilburg,(The(Netherlands:(Tilburg(University(Press.(

!

265!

! Gottfredson,(M.(R.,(and(Hirschi,(T.((1990).(A*General*Theory*of*Crime.(Stanford:( (

Stanford(University(Press.(

Guéguen,(N.,(and(Jacob,(C.((2002).(Solicitation(by(e>mail(and(solicitor’s(status:(A(field( (

study(of(social(influence(on(the(web.(CyberPsychology*&*Behaviour,*5((4),(

(

377>383.(

Hadlington,(L.((2015).(Cognitive(factors(in(online(behaviour.(In(A.(Attrill((Ed.),( (

Cyberpsychology((pp.(249>267).(New(York:(Oxford(University(Press.(

Harrell,(F.(E.(Jr.((2001).(Regression*modelling*strategies:*With*implications*to*linear* *

models,*logistic*regression*and*survival*analysis.(New(York:(Springer.(

Harrison,(B.,(Vishwanath,(A.,(and(Rao,(R.((2016).(A(user>centered(approach(to( (

phishing(susceptibility:(The(role(of(a(suspicious(personality(in(protecting(

(

against(phishing.(In(2016*49th*Hawaii*International*Conference*on*System*

*

Sciences*(HICSS)((pp.(5628>5634).(IEEE.(

Harrison,(M.((2015).(Understanding*the*mechanisms*underlying*scam*vulnerability* *

(Unpublished(undergraduate(dissertation).(Lancaster(University,(Lancaster.((

Hasher,(L.,(and(Zacks,(R.(T.((1988).(Working(memory,(comprehension,(and(aging:(a( (

review(and(a(new(view.(In(G.(H.(Bower((Ed.),(The*Psychology*of*Learning*and*

*

Motivation((vol.(22,(pp.(193>225).(San(Diego:(Academic(Press.((

Hillman,(C.(H.,(Motl,(R.(W.,(Pontifex,(M.(B.,(Posthuma,(D.,(Stubbe,(J.(H.,(Boomsma,(D.( (

I.,(and(de(Gaus,(E.(J.(C.((2006).(Physical(activity(and(cognitive(function(in(a(

(

cross>section(of(younger(and(older(community>dwelling(individuals.(Health*

*

Psychology,(25*(6).((

Hinson,(J.(M.,(Jameson,(T.(L.,(and(Whitney,(P.((2003).(Impulsive(decision(making(and( (

working(memory.(Journal*of*Experimental*Psychology:*Learning,*Memory*and*

*

Cognition,*29*(2),(298>306.(

Hiscock,(M.((1986).(Lateral(eye(movements(and(dual>task(performance.(In(H.(J.( (

Hanney((Ed.),(Experimental*Techniques*in*Human*Neuropsychology((pp.(264>

(

308).(New(York:(Oxford(University(Press.(

!

266!

! Holtfreter,(K.,(Reisig,(M.(D.,(Piquero,(N.(L.,(and(Piquero,(A.(R.((2010).(Low(self>control( (

and(fraud(offending,(victimization,(and(their(overlap.(Criminal*Justice*and*

*

Behaviour,*37((2),(188>203.(

Hong,(K.(W.,(Kelley,(C.(M.,(Tembe,(R.,(Murphy>Hill,(E.,(and(Mayhorn,(C.(B.((2013).( (

Keeping(up(with(the(Joneses:(Assessing(phishing(susceptibility(in(an(email(

(

task.(Proceedings*of*the*Human*Factors*and*Ergonomics*Society*Annual*

*

Meeting,*September*2013,*57((1),(1012>1016.(

Hoyle,(R.(H.,(Stephenson,(M.(T.,(Palmgreen,(P.,(Lorch,(E.(P.,(and(Donohew,(R.(L.( (

(2002).(Reliability(and(validity(of(a(brief(measure(of(sensation(seeking.(

(

Personality*and*Individual*Differences,*32,(401>414.(

Islam,(R.,(and(Abawajy,(J.((2013).(A(multi>tier(phishing(detection(and(filtering( (

approach.(Journal*of*Network*and*Computer*Applications,*36((1),(324>335.(

Jakobsson,(M.,(Tsow,(A.,(Shah,(A.,(Blevis,(E.,(and(Lim,(Y.(K.((2007).(What(instills(trust?( (

A(qualitative(study(of(phishing.(In(International*Conference*on*Financial*

*

Cryptography*and*Data*Security((pp.(356>361).(Berlin:(Springer.(

Jagatic,(T.(N.,(Johnson,(N.(A.,(Jakobsson,(M.,(and(Menczer,(F.((2005).(Social(phishing.( (

Communications*of*the*ACM,*50((10),(94>100.(

Jones,(H.(S.,(Towse,(J.,(and(Race,(N.((2015).(Susceptibility(to(email(fraud:(A(review(of( (

psychological(perspectives,(data>collection(methods,(and(ethical(

(

considerations.(International*Journal*of*Cyber*Behavior,*Psychology,*and*

*

Learning,*5((3),(13>29.(

Kahneman,(D.((2000).(A(psychological(point(of(view:(Violations(of(rational(rules(as(a( (

diagnostic(of(mental(processes.(Behavioural*and*Brain*Sciences,*23,(681>683.(

Kane,(M.(J.,(Bleckley,(M.(K.,(Conway,(A.(R.(A.,(and(Engle,(R.(W.((2001).(A(controlled> (

attention(view(of(working>memory(capacity.(Journal*of*Experimental*

*

Psychology:*General,*130*(2),(169>183.(

Kane,(M.(J.,(and(Engle,(R.(W.((2000).(Working(memory(capacity,(proactive( (

!

interference,(and(divided(attention:(Limits(on(long>term(memory(retrieval.(

267!

! (

Journal*of*Experimental*Psychology:*Learning,*Memory,*and*Cognition,*26*(2),(

(

336>358.(

Karat,(J.,(Karat,(C.,(and(Brodie,(C.((2009).(Human>computer(interaction(viewed(from( (

the(intersection(of(privacy,(security,(and(trust.(In(A.(Sears,(and(J.(A.(Jacko(

(

(Eds.),((Human;Computer*Interaction:*Design*Issues,*Solutions,*and*

*

Applications,(311>330.(Boca(Raton,(FL:(CRC(Press.(

King,(M.(F.,(and(Bruner,(G.(C.((2000).(Social(desirability(bias:(A(neglected(aspect(of( (

validity(testing.(Psychology*and*Marketing,*17((2),(79>103.(

Klein,(R.(A.,(Ratcliff,(K.(A.,(Vianello,(M.,(Adams(Jr.,(R.(B.,(Bahník,(Š.,(Bernstein,(M.(J.,(…( (

and(Cemalcilar,(Z.((2014).(Investigating(variation(in(replicability.(Social*

*

Psychology,*45,(142>152.(

Kok,(A.((2000).(Age>related(changes(in(involuntary(and(voluntary(attention(as( (

reflected(in(components(of(the(event>related(potential((ERP).(Biological*

*

Psychology,*54((1),(107>143.(

Kruglanski((1990).(Motivations(for(judging(and(knowing:(Implications(for(causal( (

attribution.(In(E.(T.(Higgins(&(R.(M.(Sorrentinio((Eds.),(The*handbook*of(

(

motivation*and*cognition:*Foundation*of*social*behaviour,*2,(333–368.(New(

(

York:(Guilford(Press.(

Kyllonen,(P.,(and(Christal,(R.(E.((1990).(Reasoning(ability(is((little(more(than)(working( (

memory(capacity?(Intelligence,*14,(389>433.(

Langenderfer,(J.,(and(Shimp,(T.(A.((2001).(Consumer(vulnerability(to(scams,(swindles,( (

and(fraud:(A(new(theory(of(visceral(influences(on(persuasion.(Psychology*and*

*

Marketing,*18((7),(763>783.(

Leung,(F.,(and(Savithiri,(R.((2009).(Spotlight(on(focus(groups.(Canadian*Family* *

Physician,*55*(2),(218>219.(

Li,(H.,(Edwards,(S.(M.,(and(Lee,(J.(H.((2002).(Measuring(the(intrusiveness(of( (

advertisements:(Scale(development(and(validation.(Journal*of*Advertising,*31(

(

(2),(37>47.((

!

268!

! Macmillan,(N.(A.((1993).(Signal(detection(theory(as(data(analysis(method(and( (

psychological(decision(model.(In(G.(Keren(&(C.(Lewis((Eds.),(A*Handbook*for*

*

Data*Analysis*in*the*Behavioural*Sciences:*Methodological*Issues((pp.(21>57).(

(

Hillsdale,(NJ:(Erlbaum.(

Macmillan,(N.(A.((2002).(Signal(detection(theory.(In(H.(Pashler(&(J.(Wixted((Eds.),( (

Stevens’*Handbook*of*Experimental*Psychology((Third(edition,(vol.(4,(pp.(43>

(

90).(New(York:(John(Wiley(&(Sons,(Inc.(

Mack,(S.((2014).(Reasoning*and*judgements*made*in*an*online*capacity.*An* *

exploration*of*how*phishing*emails*influence*decision*making*strategies((

(

(Unpublished(undergraduate(dissertation).(Lancaster(University,(Lancaster.((

Markovits,(H.,(Doyon,(C.,(and(Simoneau,(M.((2002).(Individual(differences(in(working( (

memory(and(conditional(reasoning(with(concrete(and(abstract(content.*

*

Thinking*and*Reasoning,*8*(2),(97>107.(

McCormac,(A.,(Calic,(D.,(Parson,(K.,(Zwaans,(T.,(Butavicius,(M.,(and(Pattinson,(M.( (

(2016).(Test;retest*reliability*and*internal*consistency*of*the*Human*Aspects*of

*

*Information*Security*Questionnaire*(HAIS;Q).(Paper(to(be(presented(at(

(

Australasian(Conference(on(Information(Systems,(Wollongong,(Australia.(

Mitnick,(K.(D.,(and(Simon,(W.(L.((2002).(The*Art*of*Deception.(Indianapolis:(Wiley( (

Publishing,(Inc.((

Miyake,(A.,(Just,(M.(A.,(and(Carpenter,(P.(A.((1994).(Working(memory(constraints(on( (

the(resolution(of(lexical(ambiguity:(Maintaining(multiple(interpretations(in(

(

neutral(contexts.(Journal*of*Memory*and*Language,*33,(175>202.(

Modic,(D.,(and(Anderson,(R.(J.((2014).(We(will(make(you(like(our(research:(The( (

development(of(a(susceptibility>to>persuasion(scale.(Social*Sciences*Research*

*

Network.(Retrieved(from(http://ssrn.com/abstract=2446971([Accessed(16(

(

July(2014].(

Modic,(D.,(and(Lea,(S.(E.(G.((2011).(How*neurotic*are*scam*victims,*really?*The*big*five* *

and*Internet*scams.(Paper(presented(at(the(2011(Conference(of(the(

(

International(Confederation(for(the(Advancement(of(Behavioral(Economics(

(

and(Economic((Psychology,(Exeter:(UK.(

!

269!

! Modic,(D.,(and(Lea,(S.(E.(G.((2013).(Scam(compliance(and(the(psychology(of( (

persuasion.(Social*Sciences*Research*Network.(Retrieved(at(

(

http://ssrn.com/abstract=2364464([Accessed(16(July(2014].(

Myers,(S.((2007).(Introduction(to(phishing.(In(M.(Jakobsson,(and(S.(Myers((Eds.),( (

Phishing*and*Countermeasures((pp.1>29).(New(Jersey:(John(Wiley(&(Sons,(Inc.(

National(Fraud(Authority((2011).(A(quantitative(segmentation(of(the(UK(population.( (

Helping(to(determine(how,(why(and(when(citizens(become(victims(of(fraud.(

(

Accessed(at:(https://www.gov.uk/government/uploads/system/uploads/( ( attachment_data/file/118481/national>fraud>segmentation.pdf([Accessed(8(

(

July(2013].(

Nederhof,(A.(J.((1985).(Methods(of(coping(with(social(desirability(bias:(A(review.( (

European*Journal*of*Social*Psychology,*15,(263>280.(

Norton((2014).(Online(fraud:(Phishing.(Retrieved(from( (

http://uk.norton.com/cybercrime>phishing([Accessed(12(July(2014].(

Onwuegbuzie,(A.(J.,(Dickinson,(W.(B.,(Leech,(N.(L.,(and(Zoran,(A.(G.((2009).(A( (

qualitative(framework(for(collecting(and(analyzing(data(in(focus(group(

(

research.(International*Journal*of*Qualitative*Methods,*8*(3),(1>21.((

Office(for(National(Statistics((2015).(Crime(Statistics,(Year(Ending(June(2015.( (

Available(at:(http://www.ons.gov.uk/ons/rel/crime>stats/crime>

(

statistics/year>ending>june>2015/sty>fraud.html([Accessed:(1(August(2016].(

Pak,(K.(B.(S.,(and(Shadel,(D.(P.((2011).(AARP(Foundation(National(Fraud(Victim(Study.( (

Retrieved(from(http://assets.aarp.org/rgcenter/econ/fraud>victims>11.pdf(

(

[Accessed(05(September(2013].(

Park,(H.,(and(Reder,(L.(M.((2004).(Moses(illusion:(Implication(for(human(cognition.( (

Cognitive*Illusions,(275>291.(

Parsons,(K.,(McCormac,(A.,(Pattinson,(M.,(Butavicius,(M.,(and(Jerram,(C.((2013).( (

Phishing(for(the(truth:(A(scenario>based(study(of(users’(behavioural(

(

response(to(emails.(In(IFIP*International*Information*Security*Conference((pp.(

(

366>378).(Berlin:(Springer.(

!

270!

! Parsons,(K.,(McCormac,(A.,(Butavicius,(M.,(Pattinson,(M.,(and(Jerram,(C.((2014).( (

Determining(employee(awareness(using(the(human(aspects(of(information(

(

security(questionnaire((HAIS>Q).(Computers*and*Security,*42,(165>176.(

Paulhus,(D.(L.((1991).(Measurement(and(control(of(response(bias.(In(J.(P.(Robinson(et( (

al.((Eds.),(Artifact*in*Behavioural*Research((pp.(17>59).(New(York:(Academic(

(

Press.(

Peirce,(J.(W.((2009).(Generating(stimuli(for(neuroscience(using(PsychoPy.(Frontiers*in* *

Neuroinformatics,*2((10).(

Porcelli,(A.(J.,(and(Delgado,(M.(R.((2009).(Acute(stress(modulates(risk(taking(in( (

financial(decision>making.(Psychological*Science,*20((3),(278>283.(

Pratt,(T.(C.,(Holtfreter,(K.,(and(Reisig,(M.(D.((2010).(Routine(online(activity(and( (

internet(fraud(targeting:(Extending(the(generality(of(routine(activity(theory.(

(

Journal*of*Research*in*Crime*and*Delinquency,*47((3),(267>296.(

Reder,(L.(M.,(and(Kusbit,(G.(W.((1991).(Locus(of(the(Moses(illusion:(Imperfect( (

encoding,(retrieval,(or(match?(Journal*of*Memory*and*Language,*30((4),(385>

(

406.(

Redick,(T.(S.,(and(Engle,(R.(W.((2006).(Working(memory(capacity(and(attention( (

network(test(performance.(Applied*Cognitive*Psychology,*20,(713>721.(

Redick,(T.(S.,(Heitz,(R.(P.,(and(Engle,(R.(W.((2007).(Working(memory(capacity(and( (

inhibition:(Cognitive(and(social(consequences.(In(D.(S.(Gorfein,(and(C.(M.(

(

MacLeod((Eds.),(Inhibition*in*Cognition((pp.(125>142).(Washington:(American(

(

Psychological(Association.((

Roda,(C.((2011).(Human(attention(and(its(implications(for(human>computer( (

interaction.(In(C.(Roda((Ed.),(Human*Attention*in*Digital*Environments((pp.(

(

11>62).(Cambridge:(University(Press.(

Roets,(A.,(and(van(Hiel,(A.((2011).(Item(selection(and(validation(of(a(brief,(15>item( (

version(of(the(Need(for(Closure(scale.(Personality*and*Individual*Differences,*

*

50,(90>94.(

!

271!

! Salah,(K.,(Alcaraz(Calero,(J.(M.,(Zeadally,(S.,(Al>Mulla,(S.,(and(Alzaabi,(M.((2013).(Using( (

cloud(computing(to(implement(a(security(overlay(network.(IEEE*Security*&*

*

Privacy,*11*(1),(44>53.(

Schneier,(B.((2000a).(Secrets*&*Lies:*Digital*Security*in*a*Networked*World.( (

Indianapolis:(Wiley(Publishing(Inc.((

Schneier,(B.((2000b).(Semantic*Attacks:*The*Third*Wave*of*Network*Attacks.(Schneier( (

on(Security(blog.(Retrieved(from:(https://www.schneier.com/crypto>

(

gram/archives/2000/1015.html#1([Accessed(2(August(2016].(

Schreck,(C.(J.((1999).(Criminal(victimization(and(low(self>control:(An(extension(and( (

test(of(a(general(theory(of(crime.(Justice*Quarterly,(16.(

Shadel,(D.(P.,(and(Pak,(K.(B.(S.((2007).(The*Psychology*of*Consumer*Fraud.( (

(Unpublished(doctoral(thesis).(Tilburg(University,(Netherlands.((

Sheng,(S.,(Holbrook,(M.(B.,(Kumaraguru,(P.,(Cranor,(L.(F.,(and(Downs,(J.(S.((2010).( (

Who(falls(for(phish?(A(demographic(analysis(of(phishing(susceptibility(and(

(

effectiveness(of(interventions.(In(Proceedings*of*the*CHI*Conference*on*

*

Human*Factors*in*Computing*Systems,((pp.(373>382).(ACM.(

Slavin,(S.((2015).(PsyScript(3((Version(0.9.0)([Computer(software].(Lancaster( (

University.(Retrieved(July(3,(2014.(Available(from:(

(

http://www.lancaster.ac.uk/psychology/research/research>

(

software/psyscript3/(

Slowiaczek,(M.(L.,(and(Clifton(Jr.,(C.((1980).(Subvocalization(and(reading(for(meaning.(( (

Journal*of*Verbal*Learning*and*Verbal*Behavior,*19((5),(573>582.(

Smagorinsky,(P.((1998).(Thinking(and(speech(and(protocol(analysis.(Mind,*Culture,* *

and*Activity,*5((3),(157>177.(

Smithson,(J.((2000).(Using(and(analysing(focus(groups:(Limitations(and(possibilities.( (

International*Journal*of*Social*Research*Methodology,*3*(2),(103>119.(

Stanovich,(K.(E.((1999).(Who*is*rational?*Studies*of*individual*differences*in*reasoning.( (

!

Mahwah,(NJ:(Erlbaum.(

272!

! Stanovich,(K.(E.,(and(West,(R.(F.((2002).(Individual(differences(in(reasoning:( (

Implications(for(the(rationality(debate.(In(Gilovich,(T.,(Griffin,(D.,(and(

(

Kahneman,(D.((Eds.),(Heuristics*and*Biases:*The*Psychology*of*Intuitive*

*

Judgment((pp.(421>440).(New(York:(Cambridge(University(Press.(

Stroop,(J.(R.((1935).(Studies(of(interference(in(serial(verbal(reactions.(Journal*of* *

Experimental*Psychology,(18*(6),(643–662.(

Symantec((2014).(Internet(Security(Threat(Report(2014.(Retrieved(from:( (

http://www.symantec.com/content/en/us/enterprise/other_resources/b>

(

istr_main_report_v19_21291018.en>us.pdf([Accessed(4(August(2016].(

Tangney,(J.(P.,(Baumeister,(R.(F.,(and(Boone,(A.(L.((2004).(High(self>control(predicts( (

good(adjustment,(less(pathology,(better(grades,(and(interpersonal(success.(

(

Journal*of*personality,*72((2),(271>324.(

The(Radicati(Group((2015).(Email(Statistics(Report,(2015>2019.(Retrieved(from:( (

http://www.radicati.com/wp/wp>content/uploads/2015/02/Email>Statistics>

(

Report>2015>2019>Executive>Summary.pdf([Accessed(23(November(2016].(

Tversky,(A.,(and(Kahneman,(D.((1973).(Availability:(A(heuristic(for(judging(frequency( (

and(probability.(Cognitive*Psychology,*5((2),(207>232.(

Tversky,(A.,(and(Kahneman,(D.((1975).(Judgment(under(uncertainty:(Heuristics(and( (

biases.(In(Utility,*Probability,*and*Human*Decision*Making((pp.(141>162).(

(

Netherlands:(Springer.(

van(Someren,(M.,(Barnard,(Y.(F.,(and(Sandberg,(J.(A.((1994).(The*Think*Aloud*Method:* *

A*Practical*Approach*to*Modelling*Cognitive*Processes.(London:(Academic(

(

Press.(

van(Wilsem,(J.((2013).(‘Bought(it,(but(never(got(it’:(Assessing(risk(factors(for(online( (

consumer(fraud(victimization.(European*Sociological*Review,*29((2),(168>178.(

Vishwanath,(A.((2015).(Examining(the(distinct(antecedents(of(e>mail(habits(and(its( (

influence(on(the(outcomes(of(a(phishing(attack.(Journal*of*Computer;

*

mediated*Communication,*20((5),(570>584.(

!

273!

! Vishwanath,(A.,(Herath,(T.,(Chen,(R.,(Wang,(J.,(and(Rao,(H.(R.((2011).(Why(do(people( (

get(phished?(Testing(individual(differences(in(phishing(vulnerability(within(an(

(

integrated,(information(processing(model.(Decision*Support*Systems,*51,(576>

(

586.(

Webster,(D.(M.,(and(Kruglanski,(A.(W.((1994).(Individual(differences(in(need(for( (

cognitive(closure.(Journal*of*Personality*and*Social*Psychology,*67,(1049–

(

1062.(

Whiteside,(S.(P.,(and(Lynam,(D.(R.((2001).(The(five(factor(model(and(impulsivity:( (

Using(a(structural(model(of(personality(to(understand(impulsivity.(Personality*

*

and*Individual*Differences,*30,(669>689.(

Whiteside,(S.(P.,(Lynam,(D.(R.,(Miller,(J.(D.,(and(Reynolds,(S.(K.((2005).(Validation(of( (

the(UPPS(impulsive(behaviour(scale:(A(four>factor(model(of(impulsivity.(

(

European*Journal*of*Personality,*19,(559>574.(

Whitty,(M.(T.,(and(Buchanan,(T.((2012).(The(online(romance(scam:(A(serious( (

cybercrime.(CyberPsychology,*Behavior,*and*Social*Networking,(15(3),(181>

(

183.(

Workman,(M.((2007).(Gaining(access(with(social(engineering:(An(empirical(study(of( (

threat.(Information*Systems*Security,*16((6),(315>331.(

Wright,(R.(T.,(and(Marett,(K.((2010).(The(influence(of(experiential(and(dispositional( (

factors(in(phishing:(An(empirical(investigation(of(the(deceived.(Journal*of*

*

Management* Information*Systems,*27*(1),(273>303.(

Yan,(Z.,(and(Gozu,(H.(Y.((2012).(Online(Decision>Making(in(Receiving(Spam(Emails( (

Among(College(Students.(International*Journal*of*Cyber*Behavior,*Psychology*

*

and*Learning*(IJCBPL),*2(1),(1>12.((

Zuckerman,(M.,(Eysenck,(S.,(and(Eysenck,(H.(J.((1978).(Sensation(seeking(in(England( (

and(America:(cross>cultural(age(and(sex(comparisons.(Journal*of*Consulting*

*

and*Clinical*Psychology,*46,(139–149.(

! !

!

274!

! Appendices% % All(appendices(mentioned(in(the(thesis(can(be(viewed(at( [(https://dx.doi.org/10.17635/lancaster/researchdata/117].(

!

275!

Smile Life

When life gives you a hundred reasons to cry, show life that you have a thousand reasons to smile

Get in touch

© Copyright 2015 - 2024 PDFFOX.COM - All rights reserved.